RE: How to accept RADIUS traffic on multiple interfaces?
Also don't forget to disable (or modify) SELinux. If memory serves, RHEL 6 comes with that enabled by default as well. --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Matteo Vocale Sent: Wednesday, August 14, 2013 2:32 PM To: FreeRadius users mailing list Subject: Re: How to accept RADIUS traffic on multiple interfaces? Before running radius in debug mode, try iptables -F with root privileges, it disables iptables default rules Phil Mayers p.may...@imperial.ac.uk ha scritto: On 14/08/13 15:07, Kurt Hillig wrote: But radiusd isn't seeing any of the inbound RADIUS traffic on eth1 - tcpdump shows it coming in, but radiusd -X shows no indication of this traffic (but is reporting all of the traffic on eth0). If radiusd -X isn't reporting *anything*, then it's not reaching FreeRADIUS, which means some part of the network stack is dropping it. If you're sure your iptables are correct, google linux log martians and linux rp filter. RHEL6 has different defaults to previous RHEL versions in this regard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to accept RADIUS traffic on multiple interfaces?
One other thing with multiple interfaces: RHEL 6 comes with some anti-spoofing features in the kernel enabled by default. I'm afraid I forget exactly what they are, but the idea is this: If the kernel gets a packet from HostA on eth1, but the routing table says that the return path to HostA is via eth0, the kernel will drop the packet. If you have this case, you have two choices: 1) Make sure that requests come IN the same interface that will send the replies. 2) Turn off the anti-spoofing features in the kernel. There's also the third option in which you create separate routing tables for each interface (plus the master routing table for sessions initiated outbound). It's a pretty big hammer, but has other advantages for multi-homed systems. Write back to me off-list if you want to go that route (pardon the pun). --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Matteo Vocale Sent: Wednesday, August 14, 2013 2:32 PM To: FreeRadius users mailing list Subject: Re: How to accept RADIUS traffic on multiple interfaces? Before running radius in debug mode, try iptables -F with root privileges, it disables iptables default rules Phil Mayers p.may...@imperial.ac.uk ha scritto: On 14/08/13 15:07, Kurt Hillig wrote: But radiusd isn't seeing any of the inbound RADIUS traffic on eth1 - tcpdump shows it coming in, but radiusd -X shows no indication of this traffic (but is reporting all of the traffic on eth0). If radiusd -X isn't reporting *anything*, then it's not reaching FreeRADIUS, which means some part of the network stack is dropping it. If you're sure your iptables are correct, google linux log martians and linux rp filter. RHEL6 has different defaults to previous RHEL versions in this regard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant-load-balance
From 'man unlang' I see this:
redundant-load-balance {
ldap1 # 50%, unless ldap2 is down, then 100%
ldap2 # 50%, unless ldap1 is down, then 100%
}
I clearly don't know what I'm doing when it comes to defining these modules.
If I have just ldap in there, it works. raddb/modules/ldap exists and is
configured correctly.
However, when I do this in my raddb/sites-enabled/FOO:
authorize {
...
redundant-load-balance {
ldap1
ldap2
ldap3
}
...
}
I get the following errors from radiusd -XC:
/etc/raddb/sites-enabled/campus-main[179]: Failed to load module ldap1.
/etc/raddb/sites-enabled/campus-main[179]: Failed to parse ldap1 entry.
/etc/raddb/sites-enabled/campus-main[70]: Errors parsing authorize section.
I tried copying modules/ldap to modules/ldap1, but that didn't work. Also
changed the ldap { ... } in modules/ldap1 to ldap1 { ... }. No help there.
This must be some syntactical aliasing that I haven't set up. What am I
missing? For now, ldap1, ldap2, and ldap3 can all be identical (for testing).
As it happens, they point to ldap.missouri.edu at the moment, which is itself a
DNS round robin. My plan is that if it fails on the first attempt, it should
attempt at least two more times, likely hitting different real servers before
actually failing.
Thoughts?
Thanks!
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: redundant-load-balance
Yup. That was it. Thanks to both of you who replied. :)
--J
-Original Message-
From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On
Behalf Of Arran Cudbard-Bell
Sent: Friday, August 24, 2012 12:31 PM
To: FreeRadius users mailing list
Subject: Re: redundant-load-balance
Thoughts?
ldap ldap1 {
ldap config
}
ldap ldap2 {
ldap config
}
ldap ldap3 {
ldap config
}
-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: redundant-load-balance
Okay new related question. I have these working:
ldap ldap1 { ... }
ldap ldap2 { ... }
ldap ldap3 { ... }
Is there an $INCLUDE syntax for modules (is it perhaps just $INCLUDE ./file)
that will load ./file in the current context that I can use so that ldap1,
ldap2, and ldap3 can share all of their common settings? At the moment, I just
have them all duplicated, which works, but doesn't scale well.
Thanks again!
--J
-Original Message-
From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On
Behalf Of Omri Bahumi
Sent: Friday, August 24, 2012 12:37 PM
To: FreeRadius users mailing list
Subject: Re: redundant-load-balance
I get the following errors from radiusd -XC:
/etc/raddb/sites-enabled/campus-main[179]: Failed to load module ldap1.
/etc/raddb/sites-enabled/campus-main[179]: Failed to parse ldap1 entry.
/etc/raddb/sites-enabled/campus-main[70]: Errors parsing authorize section.
I tried copying modules/ldap to modules/ldap1, but that didn't work. Also
changed the ldap { ... } in modules/ldap1 to ldap1 { ... }. No help there.
This must be some syntactical aliasing that I haven't set up. What am I
missing? For now, ldap1, ldap2, and ldap3 can all be identical (for
testing). As it happens, they point to ldap.missouri.edu at the moment,
which is itself a DNS round robin. My plan is that if it fails on the first
attempt, it should attempt at least two more times, likely hitting different
real servers before actually failing.
You need to create another instance of ldap. See here:
http://wiki.freeradius.org/Rlm_ldap#Group-Support
In other words if in radiusd.conf we configure an ldap module instance like:
ldap myname { [...] }
Change ldap { ... } to ldap ldap1 { ... } and it should solve your issue.
Good luck,
Omri.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant load balancing and mschap
Grrr...
This is probably a Samba issue - a known one? - but I can't seem to get AD
authentications to hit multiple DCs. Everything goes to the one listed in
/etc/samba/smb.conf (which may be a coincidence).
I set up several mschap instances like so:
mschap mschap1 { ...
ntlm_auth -s /etc/samba/radius.smb1.conf
}
mschap mschap2 { ...
ntlm_auth -s /etc/samba/radius.smb2.conf
}
mschap mschap3 { ...
ntlm_auth -s /etc/samba/radius.smb3.conf
}
I also disabled all PAP, CHAP, and references to mschap in all virtual
servers listed in sites-enabled. There is currently no mschap { ... }
section in modules/mschap.
Added this to sites-enabled/campus-inner-tunnel where mschap was before:
redundant-load-balance {
mschap1
mschap2
mschap3
}
Authentication *works*, but all authentications go to the same DC (the one
specified in mschap2). Running radiusd -X shows that all mschap1/2/3
instances are being called, and no authentication *attempts* are being sent to
the other two domain controllers. (1 and 3 aren't failing. They just aren't
*tried*.)
Am I going about this all the wrong way? Is this a known limitation in Samba?
Is there something about ntlm_auth that always references /etc/samba/smb.conf,
regardless of the -s option?
Comments and criticisms welcome.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: redundant load balancing and mschap
Alan D. and Alan B. are correct. Whatever this is, it isn't FreeRADIUS that isn't behaving. Radiusd -XC shows that pretty conclusively. At this point, if any of you are using Samba/ntlm_auth to handle the back-end authentication for FreeRADIUS, your advice is welcome, but it's definitely a Samba issue at this point. (Possibly even a Kerberos issue, though the way Samba does Kerberos is a little... odd...) Fortunately, the only Samba-related daemons actually running on my FR host are the two instances of winbindd. Smbd and nmbd are not in the process list. (Actually, my server admins have been doing their jobs. There isn't much in the process list AT ALL. But I digress...) Attempts to use the -s option with ntlm_auth to force the password server option in smb.conf to vary have failed. Setting multiple servers in the main smb.conf is an option: password server = server1 server2 server3 ...however, ntlm_auth doesn't seem to use them. For whatever reason, it seems to always talk to server1, even when only server2 is listed in any config file I can find. Queries to domain controllers on port 3269 DO seem to round-robin, though I couldn't tell you why for sure. Any advice is welcome, though technically off-topic at this point. I'm going to have to hack on Samba until it gives me what I want. --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of alan buxey Sent: Friday, August 24, 2012 3:59 PM To: FreeRadius users mailing list Subject: Re: redundant load balancing and mschap Hi, Authentication *works*, but all authentications go to the same DC (the one specified in mschap2). Running radiusd -X shows that all mschap1/2/3 instances are being called, and no authentication *attempts* are being sent to the other two domain controllers. (1 and 3 aren't failing. They just aren't *tried*.) i would advise to increase debuggin in smbd/winbindd and for ntlm_auth also check your samba and kerberos configs to see how you are querying the KDC - are you specifying particular names? It could be that your client did a DNS lookup, cached that answer and doesnt want to use anything else - a few entries in /etc/hosts might be in order alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: redundant load balancing and mschap
The underlying problem is that I have four production RADIUS servers that all seem to choose the same domain controller, which is not only a lot of load, but it's a bad idea in terms of fault tolerance. I may try just making each server choose a separate DC as its default, for starters, which would get me most of the way there. The wireless controllers that authenticate against the RADIUS servers *themselves* round-robin among the RADIUS servers, so if one of them - or even two of them - were talking to a DC that is down, a given user's machine is likely to re-attempt authentication and succeed eventually. We'd hear a lot of complaints that getting on wireless is slow but things would *work*. Anyway, thanks for the insight. I'll keep banging on it. If I get an elegant - or at least *stable* - configuration, I'll post something about it here. --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, August 24, 2012 4:23 PM To: freeradius-users@lists.freeradius.org Subject: Re: redundant load balancing and mschap On 08/24/2012 08:11 PM, McNutt, Justin M. wrote: Grrr... This is probably a Samba issue - a known one? - but I can't seem to get AD authentications to hit multiple DCs. Everything goes to the one This is indeed a Samba issue, and unfortunately a hard one to fix. ntlm_auth doesn't talk over the network - rather, it talks over a Unix socket to winbind. Winbind maintains a *single* open session to a DC, and sends all the domain RPCs down this pipe. Winbind discovers the DC from the AD subnet/site queries and builds an app-specific kerberos config that will show you this - see /var/lib/samba/smb_krb5/krb5.conf.DOMNAME If you want to force connections to separate domain controllers, you'll need separate smbd/winbindd instances running, with their own unix sockets and smb.conf setups. This will probably be hard, and fragile. My advice - don't, unless you really really need to. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: redundant load balancing and mschap
Because there are so many files (pipes, actual files, etc.) whose locations are hard-coded into winbind, the only way to even begin to try to run multiple instances of winbind would be through chroot-ed setups, which would probably mean that ntlm_auth would also have to run in the same chroot-ed environment in order to locate the correct pipe. Messy. And that's still assuming that I can force a given instance of winbind to talk to the DC I want. Need to start from that angle and see where I get. --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, August 24, 2012 4:23 PM To: freeradius-users@lists.freeradius.org Subject: Re: redundant load balancing and mschap On 08/24/2012 08:11 PM, McNutt, Justin M. wrote: Grrr... This is probably a Samba issue - a known one? - but I can't seem to get AD authentications to hit multiple DCs. Everything goes to the one This is indeed a Samba issue, and unfortunately a hard one to fix. ntlm_auth doesn't talk over the network - rather, it talks over a Unix socket to winbind. Winbind maintains a *single* open session to a DC, and sends all the domain RPCs down this pipe. Winbind discovers the DC from the AD subnet/site queries and builds an app-specific kerberos config that will show you this - see /var/lib/samba/smb_krb5/krb5.conf.DOMNAME If you want to force connections to separate domain controllers, you'll need separate smbd/winbindd instances running, with their own unix sockets and smb.conf setups. This will probably be hard, and fragile. My advice - don't, unless you really really need to. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RHEL Patches Broke FreeRADIUS
... *facepalm* Yeah, that'd do it. Much easier than what I was doing. Thanks, Alan. :) --J From: Alan DeKok al...@deployingradius.commailto:al...@deployingradius.com Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Sat, 3 Mar 2012 09:14:31 +0100 To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re: RHEL Patches Broke FreeRADIUS McNutt, Justin M. wrote: I'd like to tackle this from the FreeRADIUS side rather than by reconfiguring rpm because I can think of other reasons why some idio^H^H^H^H well-meaning admin might stick a test file in there without realizing that it causes problems. Switching to a site-specific module name (or some other method that allows FR to ignore the extra files) would prevent any such scenario. The modules directory is just a convention. It can be changed. Instead, put the modules into raddb/missouri/ :) Change radiusd.conf to edit $INCLUDE modules/ to missouri/ And the problem will go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: High Avaibility
Be careful with load balancers too. Some NAS don't work well through a load balancer (Trapeze wireless controllers). --J From: Толик Шавловский tolik_shavlov...@mail.rumailto:tolik_shavlov...@mail.ru Reply-To: Толик Шавловский tolik_shavlov...@mail.rumailto:tolik_shavlov...@mail.ru, FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Thu, 1 Mar 2012 17:52:29 +0400 To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re[2]: High Avaibility Hi, if your NAS does not support 2 radius servers you can use load balancer (ex fortinet). 01 марта 2012, 15:37 от Phil Mayers p.may...@imperial.ac.ukmailto:p.may...@imperial.ac.uk: On 01/03/12 10:16, Anto wrote: Hello In the coming days I will set up a freeradius server for access control and accounting. I've been looking for information on freeradius and high availability, since my idea is to have two servers in case one fails, continue to operate with the other, but I just found information. So I turn to the list, in case I can recommend someone with experience on stage. I do not know if it is feasible to have a server as master and one slave, when the main falls, the other up the interface. If there is some kind of balancer radius and use both servers, etc.. This is a very vague question. You're going to get a lot of either too-vague or too-specific answers. A few things you need to specify: 1. When you say high availability what are you hoping to achieve? 2. How long can you tolerate when an unscheduled outage for? 1 second or 60? 3. Do your RADIUS servers talk to external data sources (SQL, LDAP)? 4. Do you care about load-balancing, or just high-availability? I'll make a few comments: Most NASes support 2 (or more) RADIUS servers, and will fail over when they detect an outage. For resilience, you just need to build two RADIUS servers on different IPs, and specify these in your NAS. You don't need a load-balancer or other complications, and they will just make things less reliable. Making redundant RADIUS servers is easy; you just build two machines, and run FreeRADIUS on each with the same config. The hard bit is replicating any data sources between them (LDAP, SQL) and handling writes such as accounting packets into SQL, SQL session counters, and so on. You need to be more specific about what you're doing and what you want to achieve. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RHEL Patches Broke FreeRADIUS
So my server admins did what they're supposed to do and ran yum update on
everything last weekend. The updates included a refresh of the freeradius2
packages that took FR from 2.1.7 to 2.1.12.
That's all fine and dandy, except that what rpm does when it has config files
that are part of a package - like /etc/raddb/modules/ldap - and those config
files exist on your system already AND those config files have changed, is that
it renames the new one to blah.rpmnew.
This created a nasty problem. Now I have an /etc/raddb/modules/ldap and an
/etc/raddb/modules/ldap.rpmnew, both of which define how ldap { } is supposed
to work. Same thing happened to the mschap module.
SO...
The way I avoided this problem in the $RADDB/certs and $RADDB/sites-available
directories is that I'm not using the default filenames in the first place. My
certs are not named ca.pem and server.pem and so on. I'm not using the
default or inner-tunnel virtual server definitions. I copied them to
site-specific names and used THOSE, so I get the benefit of the sanity of the
built-in virtual server definitions (not to mention an unsullied copy for
contrast), but rpm doesn't screw me up.
The $RADDB/modules directory doesn't seem to work that way. I can't just do
cp ldap ldap-site and call ldap-site from my virtual server instead of
ldap. I also can't leave it the way it is (stock) because rpm is going to
come along and put another ldap.rpmnew file in there. I can't not patch FR
because my predecessor went down that road and that's why he's not in charge of
the RADIUS servers any more.
Ideas?
I'd like to tackle this from the FreeRADIUS side rather than by reconfiguring
rpm because I can think of other reasons why some idio^H^H^H^H well-meaning
admin might stick a test file in there without realizing that it causes
problems. Switching to a site-specific module name (or some other method that
allows FR to ignore the extra files) would prevent any such scenario.
Thx!
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am I still subscribed?
Mailing list seems to be having problems. Checking to see if it's just me. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
I'm not sure why, then, but it actually does work. We have shown that with the client configured to use u...@e.mail.address (where e.mail.address is NOT the same as the AD domain), if I have FR look for 'e.mail.address' and translate it to the correct NT domain, authentication succeeds. The user name must not be part of the crypto calculation or it would fail. I've been able to correct all kinds of things in the user name and set the domain manually to whatever I want. As long as I supply the correct password on the client side to what I happen to know the RADIUS server has mapped my ID to, authentication is successful. --J From: Phil Mayers p.may...@imperial.ac.ukmailto:p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Fri, 3 Feb 2012 12:48:30 + To: freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re: Multi-domain AD and Users Who Aren't So Bright On 02/02/2012 05:33 PM, NdK wrote: Il 02/02/2012 13:35, McNutt, Justin M. ha scritto: Thoughts? Opinions? Better ways to accomplish any/all of this? Briefly, there's probably not much you can do to improve this. If you have such a complex domain environment, you're going to have to write complex policies OR mandate your users always use the correct DOM\user format. Or make 'em use their institutional email address. Easier to remember :) This doesn't work, unless username == email local part. Seems trivial but it might not be. At least in our case we have 3 kinds of email addresses, referring to 2 domains. And the name before the '@' sign might not be the same as the sAMAccountName. Exactly. And this name is mixed into the challenge/response. If you try to use email addresses, the client will calculate: response = crypto(challenge, e.m...@domain.commailto:e.m...@domain.com, password) Let's assume you map email - username on your radius servers: Real-Username = some_lookup(User-Name) ...and you then call ntlm_auth, this basically asks the domain controllers: is_valid(Real-Username, challenge, response) The domain controllers do this: expected_response = crypto(challenge, samaccountname, stored_password) if response != expected_response: error else success See the problem? The domain controller performs its crypto calculation on the samaccountname. The client performs its crypto on the email addresses. The results differ, and authentication fails. Basically, usernames != email address, unless you MAKE them the same. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
From: Phil Mayers p.may...@imperial.ac.ukmailto:p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Thu, 2 Feb 2012 14:09:30 + To: freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re: Multi-domain AD and Users Who Aren't So Bright On 02/02/2012 12:35 PM, McNutt, Justin M. wrote: ridiculously large number of phone calls to our Help Desk demonstrate this, not to mention the Login incorrect messages from FR. (I built all of my fix it stanzas based on actual failed login attempts by users.) The other option is a single-domain environment. I've no idea of the size of your site, but we do this. It removes a lot of hassle. Obviously, that's probably not a sensible option for you; the disruption of a move would be enormous! We looked at this. A lot. For these specific reasons. The main problems are political. TECHNICALLY, we could just build a new domain in the existing forest and put everything NEW into that domain, then allow all of the other domains (except two) fade out through attrition. The two exceptions would be the forest root (which contains no user or computer accounts), and a special domain that contains only retired user accounts (long story) and thus, not my problem. But we won't do that, because this is a multi-campus university with lots of autonomy issues and wrangling for independence. So we'll have to fight the good fight and make any software we use work in a multi-domain environment as AD was intended to work, regardless of any other practical issues. ;) We've also seen winbind drop out of the domain for no readily apparent reason. Winbind is also REALLY bad at detecting domain controller failure; it keeps the TCP connection to the chosen DC open, and can take 30 seconds or more to detect failures, and only *then* performs DC re-discovery. Sigh... Unfortunately, I don't have the time to chase the underlying problems and report them to the Samba guys. Same here on all counts, though we don't have machines dropping out very often. But these kinds of things are why we have some complicated load balancing and redundancy in front of the RADIUS servers. It's not a failure of FreeRADIUS, but rather the imperfect world that FR lives in. Plus, in addition to reading through these replies and refining my multi-domain user-ID-fixing implementation, my current FR effort is to make the config more robust and tolerant of server failures. The ldap module is currently configured in a way that depends entirely upon a single domain controller. That's bad. I KNOW there's a way to config FR better than this. I just have to go read more stuff in /usr/share/docs/freeradius. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
complex policies OR mandate your users always use the correct DOM\user
format.
Or make 'em use their institutional email address. Easier to remember :)
Seems trivial but it might not be. At least in our case we have 3 kinds
of email addresses, referring to 2 domains. And the name before the '@'
sign might not be the same as the sAMAccountName.
I'm trying (with no luck :( ) to use
/usr/bin/net ads search -P (mail=%{User-Name}) sAMAccountName|grep
sAMAccountName|sed s/^[^ ]* //
(maybe it's possible to do the same without using grep and sed, but it's
been just a quick test -- suggestions welcome).
Replacement is OK, but seems secrets.tdb can't be opened :( even if
permissions should be OK :-?
A limit of net ads search is that it searches only the default (joined)
domain, unless you specify another domain controller with -S or -I -- I
could easily do that based on the mail domain but in others setups it
could be harder.
A problem I'm having with that is the fact that we outsourced student e-mail
(so they can continue to use that account after they graduate). So the
password for their e-mail account is not the same as the password for their AD
account (possibly).
For the lookup, I'm betting that ldapsearch could be given a filter like
(|(sAMAccountName=%{User-Name})(exchangeSMTPAliases=%{User-Name})) that would
match any valid SMTP alias, but that's assuming that you're using Exchange and
all of the aliases are visible in AD someplace.
Also, I'm finding that the callouts to scripts of any kind to run 'ldapsearch'
are fairly slow. I'm working on a way to run 'ldapsearch' daily and
pre-populating an Oracle or MySQL database with the data that I want so that FR
can look there first, and only go to an 'ldapsearch' script if that fails
(maybe). I'm pretty impressed with the way ldapsearch will failover to a
second, third, fourth URI given at the command line, but the shell call takes a
lot of time as the load ramps up.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
On 02/01/2012 09:57 PM, McNutt, Justin M. wrote: Thoughts? Opinions? Better ways to accomplish any/all of this? Briefly, there's probably not much you can do to improve this. If you have such a complex domain environment, you're going to have to write complex policies OR mandate your users always use the correct DOM\user format. We just finished a many-year span trying to get users to understand and use DOM\user. They don't get it, at least not consistently. A ridiculously large number of phone calls to our Help Desk demonstrate this, not to mention the Login incorrect messages from FR. (I built all of my fix it stanzas based on actual failed login attempts by users.) Couple of things you could do; use SQL to store the mappings rather than hard-code; replace your script with a SQL lookup (use a bulk LDAP dump to populate unqualified user - domain mapping, nightly). I guess in an ideal world, Samba would handle any username format that windows itself would handle, and none of this would be necessary e.g. ntlm_auth might output: SamAccountName: user NT-Domain: DOM NT_KEY: foobar ...and FR could populate those. Ideally, ntlm_auth would just take SamAccountName and NT_KEY and figure out the domain for itself (requiring an LDAP lookup, which is cached by winbind if you use wbinfo to do it). But TBH I think (not sure here) you've crafted a solution that processes usernames windows itself could not; basically you've coded site-specific knowledge into your configs. This is, necessarily, site specific! That's true. At the login screen, Windows will accept DOM\user or u...@ad.domain.com, but my solution also allows for DOM/user and users@valid.email.address and just user, plus anything else I feel makes sense to a human, and thus deserves to be accepted by the computer. tl;dr - from what I can see, that's about as good as you're going to get. Thanks for the reply. I think so too, for the moment. I didn't give many details on what the GetDomain.pl script does. At first, I had it set to use wbinfo --all-domains to get a list of all valid domains in the forest (weeding out a few things like BUILTIN), and then just iterate through each domain and see if user had a SID in that domain. On the one hand, this was wasteful. On the other hand, it was still pretty fast, required no password (aside from the Samba/LDAP configs, which aren't seen at the command line), and winbind cached the results, including the negative results. That caching seemed like a really good idea to me. Sadly, it failed miserably. In practice, the wbinfo method caused... problems. We aren't exactly sure what it broke, but the test FR server would stop authenticating altogether. When winbind was restarted, it would complain Cannot find KDC for this domain, which usually means it needs to be removed and re-joined to AD. But even that didn't *quite* fix it. After re-joining and waiting a few minutes, the problem would go away. (Likely, there's some AD policy that was violated that temporarily locked the resource account that Samba and/or FR use for authenticating *themselves* to AD that had to expire.) So wbinfo works from the command line by hand, not so much when scaled up. So now GetDomain.pl uses ldapsearch. Advantage is it works well and only requires a single lookup per user ID (rather than iterating through anything). Disadvantage is lack of any sort of caching (SQL server for cache might be good here), and the fact that I, personally, find that when I have to include the password in the CLI arguments and the program does not hide them for me in the ps output, I'm a bit disappointed. So yeah, I'm pretty happy with it so far. We'll see how it scales up when it's done to the production servers. Setting up MySQL and a single table to hold user / domain / TTL cached data wouldn't be difficult, though the politics around here are such that I'll have to ask around a bit about the best way to do that, even if the end result is the same. *sigh* (I can always build it on just the test server and call it a proof of concept, of course) --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multi-domain AD and Users Who Aren't So Bright
So I'm working on a way to Improve the User Experience. I've gotten a LONG
way, but now I'm stuck. Here's the short/long version (all details, without
undue explanation or discussion of what I tried that doesn't work):
WARNING: This may well be a case of doing it the hard way. If that's the
case, feel free to tell me, but it's not for lack of trying to research this
via Google, searching archives of this list, etc. Just tell me what I'm doing
wrong. I can handle it. ;)
Okay, here goes:
1) I created two custom attributes named My-NT-Domain and My-User-Name and
added them to the dictionary file as 3003 and 3004, respectively.
2) I added sections to sites-enabled/my-virt-server in the authorize { like
this:
# Allow host-based authentication for computers in the domain.
if ( User-Name =~ /host\/[^\.]+\.(.+)/ ) {
update request {
My-User-Name = %{mschap:User-Name}
My-NT-Domain = %{1}
}
}
# Fix the forward slash.
elsif ( User-Name =~ /([^\/]+)\/(.+)/ ) {
update request {
My-User-Name = %{2}
My-NT-Domain = %{1}
}
}
# New student e-mail format.
elsif ( User-Name =~ /([^@]+)@mail.missouri.edu/ ) {
update request {
My-User-Name = %{1}
My-NT-Domain = TIGERS
}
}
... and so on.
3) I changed /etc/raddb/modules/mschap to call ntlm_auth like this:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{My-User-Name}:-%{mschap:User-Name}}
--domain=%{%{My-NT-Domain}:-%{mschap:NT-Domain}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
So at this point, if a user plugs in the correct domain\username stuff, none
of the cleanup cases match, so my custom attributes are empty, and the usual
%{mschap:xx} variables work fine. If fixes were necessary, the custom
attributes take over.
All that works fine.
NOW we want to be able to have a user authenticate without specifying a domain.
In theory, that's no big deal. If the users NEVER specify a domain at all, I
can populate my custom attributes with this:
if ( ! My-NT-Domain ) {
update request {
My-User-Name = %{User-Name}
My-NT-Domain = `/etc/raddb/bin/GetDomain.pl
%{User-Name}`
}
}
The GetDomain.pl script does a command-line LDAP search (using ldapsearch)
against our AD for %{User-Name}, grabs the dn attribute, matches the AD domain,
and returns the NT domain that corresponds. This also works.
NOW, the problem is that if the user DOES specify domain\username correctly,
then none of the cleanup cases match, so My-NT-Domain is empty. But since my
custom attribute is empty, the Perl script is being called unnecessarily to run
the LDAP search.
Solution:
I was still thinking about this as I wrote it, and I modified the final check
clause (that looks for the total absence of domain hints) and I thought of a
way to implicitly resolve the case where the user passes scary characters in
the user ID (injection attack) AND the case where the user specified a valid
domain\username set of creds at the same time:
# Check special fix-it cases above.
# These could probably be done as a single if statement.
# It was simpler to keep them separate while testing.
if ( ! My-NT-Domain ) {
if ( User-Name =~ /^[a-zA-Z0-9]+$/ ) {
update request {
My-User-Name = %{User-Name}
My-NT-Domain = `/etc/raddb/bin/GetDomain.pl
%{User-Name}`
}
}
}
This appears to be working.
Overall, I give this solution about a B+.
PROS:
Works in a single forest, multi-domain environment, regardless of any
conformity to typical AD domain naming standards.
Makes authentication SIMPLE for the users.
The way I wrote the GetDomain script, it always returns DOMAIN or (null) after
only a single LDAP query (efficient).
Combined with judicious use of radiusd -XC provides a simple way to correct
common typos.
Permits computer-based authentication to work again in multi-domain or
non-typical-naming cases (where mschap currently fails).
Still reports the original creds as given by user (in case you still want to
report on the cases that needed fixing and resolve the problem at the source,
rather than making FR do all the work.
Limited to this virtual server.
CONS:
In many cases - like translating col.missouri.edu to UMC-USERS, the fixes
are hard-coded. By comparison, changing the / to a \ works for any domain in a
single check.
Doubles (at least) the number of calls to AD in cases where everyone is lazy
and leaves out the domain. I.e. an LDAP call to get the domain plus the
Re: Multi-domain AD [Kudos]
Btw, kudos to Alan DeKok and the rest of the FR developers for these FR
abilities. The things listed here were INVALUABLE to figuring all of this out
without just guessing:
1) radiusd -XC You just can't live without this. Seriously.
2) radiusd -XIt's there for a reason. Specifically,
3) THIS (from radiusd -X):
++? if (User-Name =~ /host\/[^\.]+\.(.+)/ )
? Evaluating (User-Name =~ /host\/[^\.]+\.(.+)/) - FALSE
++? if (User-Name =~ /host\/[^\.]+\.(.+)/ ) - FALSE
++? elsif (User-Name =~ /([^\/]+)\/(.+)/ )
? Evaluating (User-Name =~ /([^\/]+)\/(.+)/) - FALSE
++? elsif (User-Name =~ /([^\/]+)\/(.+)/ ) - FALSE
4) and THIS:
[mschap] Told to do MS-CHAPv2 for tmpid with NT-Password
[mschap] expand: %{My-User-Name} -
[mschap] expand: %{mschap:User-Name} - tmpid
[mschap] expand: --username=%{%{My-User-Name}:-%{mschap:User-Name}} -
--username=tmpid
[mschap] expand: %{My-NT-Domain} -
[mschap] expand: %{mschap:NT-Domain} - testing
[mschap] expand: --domain=%{%{My-NT-Domain}:-%{mschap:NT-Domain}} -
--domain=testing
5) and last, but certainly not least, man unlang. It won't read itself,
yanno!
It may not be the best way to do it, but it works, and I couldn't have done it
without all of these debugging features. It's what my Linux sysadmin calls
awesome sauce.
--J
From: Z mcnu...@missouri.edumailto:mcnu...@missouri.edu
Reply-To: FreeRadius users mailing list
freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org
Date: Wed, 1 Feb 2012 21:57:02 +
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org
Subject: Multi-domain AD and Users Who Aren't So Bright
So I'm working on a way to Improve the User Experience. I've gotten a LONG
way, but now I'm stuck. Here's the short/long version (all details, without
undue explanation or discussion of what I tried that doesn't work):
WARNING: This may well be a case of doing it the hard way. If that's the
case, feel free to tell me, but it's not for lack of trying to research this
via Google, searching archives of this list, etc. Just tell me what I'm doing
wrong. I can handle it. ;)
Okay, here goes:
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
Thanks to all for the responses so far. I'm still reading through them. In my case, guests are given a WEP key (which just keeps the Automatically Connect to Open Networks devices away) and allowed to connect to a guest SSID which has a separate Internet drain, policies, limitations, etc. To get high speed access, you have to take the trouble to get an account and use the EAP-enabled network. Carrot and stick. But to be clear, I'm not making guests authenticate at all, so that's one nasty problem that is outside of the scope of this particular discussion. --J From: Phil Mayers p.may...@imperial.ac.ukmailto:p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Fri, 27 Jan 2012 10:07:27 + To: freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re: self-signed root CA On 01/27/2012 12:29 AM, Christ Schlacta wrote: I've attached android, windows 7, macosx, and ubuntu linux to an eap-tls network using wpa2-eap-tls, which requires client and CA certs. it's no issue once you know what you're doing. the hardest part is the nearly complete lack of documentation for any OS except linux. you're limited to what google provides from various blogs. Once you know what you're doing. When guests arrive at your site, they don't want to spend 20 minutes following intricate docs. Especially if their meeting is only 30 minutes. Sure *I* can get any of those systems online in under a minute. The concern is how fast a short-lived guest can get online. Our web-based staff create a guest account portal takes only seconds. Walking the user through cert installation takes a lot longer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
This is basically what we've decided. Assuming there are no more issues with management, we're going to set up a separate CA for RADIUS that only signs the server certs for the RADIUS servers. Thanks to all for the replies. Very useful! --J From: Christ Schlacta li...@aarcane.orgmailto:li...@aarcane.org Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Thu, 26 Jan 2012 16:25:33 -0800 To: freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re: self-signed root CA Self-signed provides stronger security in most cases. I'm using self-signed here, and distributing a certificate to unmanaged user devices is as easy as placing a p12 file on a USB drive and requiring users to stop by ops before getting on wireless. If you're using a public CA to sign certs, and you're not using TLS authentication (I'm guessing you're not. getting that many certs would be expensive), then anyone can impersonate your network and intercept perceivably protected traffic. this is BAD. Insofar as I know, nearly everyone on this list using certs is using self-signed. On 1/25/2012 16:08, McNutt, Justin M. wrote: So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. For my own reasons, I'd like to know slightly more than that. If you AREN'T using a self-signed CA for your RADIUS server, what made you use another CA, and what CA did you use? And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA. The README explains briefly why, but my management wants more assurance than that, so here I am. Looking forward to your responses, and thanks in advance. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
self-signed root CA
So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. For my own reasons, I'd like to know slightly more than that. If you AREN'T using a self-signed CA for your RADIUS server, what made you use another CA, and what CA did you use? And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA. The README explains briefly why, but my management wants more assurance than that, so here I am. Looking forward to your responses, and thanks in advance. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR 2.1.7 Exits for no reason
Well, at the very least, I'm going to START there and see what happens. It's maddening, since it goes for weeks with no problems, and then suddenly two or three will die within hours. :( --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, March 09, 2011 3:28 AM To: FreeRadius users mailing list Subject: Re: FR 2.1.7 Exits for no reason hi, 2.1.7 has many little quirks/bugs that caused daemon deaths. 2.1.10 is the answer alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.1.7 Exits for no reason
Hey all, So the host-based auth stuff is working well now, but we've discovered another problem. We have four FR 2.1.7 servers running on RHEL 5 (fully patched). Every now and then, for no apparent reason, radiusd just stops. It exits with Exiting normally. to syslog. They don't all exit at the same time. Since there are four of them behind a load balancer, it usually doesn't result in a service outage, and we've been lucky so far that only a couple of them have been down at once. But it's still disconcerting. The servers tend to all be started within a minute of each other, since I make changes to Server #1, and then use an rsync script to replicate /etc/raddb to the other servers and restart them. So they all start within seconds of one another. This week, Server #3 stopped within about 8 hours of being started (went from 1130 to 1930). Server #1 failed last week at 2330. Server #4 hasn't failed yet. It's very odd. Any ideas on how I can troubleshoot this? Thanks! Justin McNutt Network Systems Analyst - Ninja DNPS, Mizzou Telecom (573) 882-5183 Do you have a concussion? Ping is NOT a service. You don't need it. Use a real test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Secondary LDAP server
One of my virtual servers uses LDAP auth. However, it isn't clear to me if modules/ldap can be configured with a secondary LDAP server, should the primary fail to respond. The group that provides the LDAP server can't set up multiple servers behind a load balancer due to cert issues, so I'm looking for a way to add a failover LDAP server to the RADIUS configuration. What's the easiest/best/recommended way to do something like this? Can modules/ldap be configured this way, or should I create a modules/ldap2 (or similar) and call it somehow? Suggestions welcome. Thanks! Justin McNutt Network Systems Analyst - Ninja DNPS, Mizzou Telecom (573) 882-5183 Do you have a concussion? Ping is NOT a service. You don't need it. Use a real test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR 2.1.7 Exits for no reason
You must realize that gdb by itself is an answer that is of very little use. While I am aware that gdb is the GNU Debugger, you have no way of knowing that I do, and you gave no other context or other information that would help me use gdb to gather anything. So let me be more clear: What EXACTLY do I need to do to get more information about this phenomenon, and under what circumstances do I need to do it, and once I have some output, what should I be looking for in it? Running production RADIUS servers with strace radiusd -X is probably impractical (and highly insecure), and may even alter the runtime environment such that the fatal event never occurs. I've never observed the failure in either of the two test servers I run, and their configurations are identical, so I must assume that radiusd dies after receiving some sort of improper/unexpected data, or when it gets into some weird state, or other such thing. But it can't be fixed if I can't figure out how to reproduce it. It'll happen eventually, but a server that is no longer running doesn't tell me much either. How is gdb going to help me figure out why something isn't working any more? --J From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Tuesday, March 08, 2011 5:06 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: FR 2.1.7 Exits for no reason Gdb From: McNutt, Justin M. [mailto:mcnu...@missouri.edu] Sent: Tuesday, March 08, 2011 04:59 PM To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: FR 2.1.7 Exits for no reason Hey all, So the host-based auth stuff is working well now, but we've discovered another problem. We have four FR 2.1.7 servers running on RHEL 5 (fully patched). Every now and then, for no apparent reason, radiusd just stops. It exits with Exiting normally. to syslog. They don't all exit at the same time. Since there are four of them behind a load balancer, it usually doesn't result in a service outage, and we've been lucky so far that only a couple of them have been down at once. But it's still disconcerting. The servers tend to all be started within a minute of each other, since I make changes to Server #1, and then use an rsync script to replicate /etc/raddb to the other servers and restart them. So they all start within seconds of one another. This week, Server #3 stopped within about 8 hours of being started (went from 1130 to 1930). Server #1 failed last week at 2330. Server #4 hasn't failed yet. It's very odd. Any ideas on how I can troubleshoot this? Thanks! Justin McNutt Network Systems Analyst - Ninja DNPS, Mizzou Telecom (573) 882-5183 Do you have a concussion? Ping is NOT a service. You don't need it. Use a real test. This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Secondary LDAP server
It's not anywhere in the config files, but I did find where RedHat hid the doc/* files. There's a /usr/share/doc/freeradius-2.1.7/configurable_failover that looks like what I need. Goes into some decent detail, too. --J From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Tuesday, March 08, 2011 5:17 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: Secondary LDAP server I'm pretty sure this is discussed, examples, etc in the doc: online and in FR conf files. Sorry I don't have exact location handy, but I'm sure its there. From: McNutt, Justin M. [mailto:mcnu...@missouri.edu] Sent: Tuesday, March 08, 2011 05:02 PM To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: Secondary LDAP server One of my virtual servers uses LDAP auth. However, it isn't clear to me if modules/ldap can be configured with a secondary LDAP server, should the primary fail to respond. The group that provides the LDAP server can't set up multiple servers behind a load balancer due to cert issues, so I'm looking for a way to add a failover LDAP server to the RADIUS configuration. What's the easiest/best/recommended way to do something like this? Can modules/ldap be configured this way, or should I create a modules/ldap2 (or similar) and call it somehow? Suggestions welcome. Thanks! Justin McNutt Network Systems Analyst - Ninja DNPS, Mizzou Telecom (573) 882-5183 Do you have a concussion? Ping is NOT a service. You don't need it. Use a real test. This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschap with ntlm_auth and Active Directory
root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0) root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D670F3A6 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0) root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0) The password Pa$$w0rd is set in the Wireless Controller, if thats what you mean by mschap client? May I suggest two things: 1) I'm assuming that the password is not actually 'Pa$$w0rd', but that string reminds me that certain special characters - the dollar sign is a notable one - are not always handled correctly in password strings. Even if FreeRADIUS is handling it correctly, AD may not, and the wireless controller may not. I suggest setting the password to something simpler. If your password policy requires special characters, use dash, equals, underscore, or dot. I have used passwords with these characters successfully when authenticating via EAP/PEAP through FreeRADIUS and then on through MSCHAPv2 to AD via ntlm_auth. (Same chain as you.) 2) Even if you are confident that your real password's characters are not a problem, re-enter it on the wireless controller, MANUALLY. You may have accidentally entered an unprintable character or a space or some similar thing that causes the password to APPEAR to be correct, when in fact it doesn't match. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschap with ntlm_auth and Active Directory
Im using Samba version 3.5.4 and FreeRADIUS Version 2.1.9 on Ubuntu 10.10. I'm using 3.5.4 and FreeRADIUS 2.1.7. Should be okay. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschap with ntlm_auth and Active Directory
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]expand: --username=%{mschap:User-Name:-None} -
--username=001E52805980
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: %{mschap:NT-Domain} -
[mschap]... expanding second conditional
[mschap]expand:
--domain=%{%{mschap:NT-Domain}:-MY.ACTUAL.DOMAIN} -
--domain=MY.ACTUAL.DOMAIN
[mschap] mschap1: 86
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=86acd2fc97136970
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] MS-CHAP-Response is incorrect.
++[mschap] returns reject
Failed to authenticate the user.
First things first. When you run this on the command line, what exactly do you
get?
ntlm_auth --request-nt-key \
--username=001E52805980 \
--domain=MY.ACTUAL.DOMAIN \
--challenge=86acd2fc97136970 \
--nt-response=bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662
(You may need to run FreeRADIUS in debug mode, observe another failure, and
then copy the challenge and response values from that *recent* failure in there
for this to work. I don't know what the lifetime is on those values. Using
the ones from hours ago may not work.)
Second question is, is request-nt-key appropriate in this case? I only ask
because I've only ever used ntlm_auth to authenticate Windows hosts directly.
In this case, the wireless controller is doing the authentication, and the
wireless controller is not a Windows box. Sure, it's using a set of
credentials in AD, but that's not exactly the same. The *Windows* box is not
doing the authentication. The *controller* is.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschap with ntlm_auth and Active Directory
I am trying to setup freeRadius to process requests from our Wireless Controller. The controller uses the wireless devices MAC address as the username, and a predefined password. These MAC addresses all excist in Active Directory as user accounts, with the same password set. This works fine with our current Windows 2003 Server but Im trying to get it going with FreeRadius. the mschap module line in MSCHAP for ntlm_auth is as such: ... I forgot to mention: Also check that winbind is working like this: wbinfo --all-domains If you don't see a list of all valid NT-style domains, winbind is broken and you'll have to fix that first. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
These look like MS-CHAP machine-auth usernames; have you
considered using:
%{mschap:User-Name}
%{mschap:NT-Domain}
The mschap module has special handling for host/ names, and
these will
expand:
host/name.domain.com
to:
name$
domain.com
The trailing dollar sign on the hostname is intentional; SAM account
names for machines conventionally end in $ in windows.
I'm aware of all of this. The problem is, it doesn't seem to be actually
working. Here's the ntlm_auth command I'm using:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name}
--domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Note use of %{mschap:User-Name} and %{mschap:NT-Domain}. Despite this,
host/computer.domain login attempts always fail. Hence, trying to do the
translation manually via a regex and update clauses.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
And what happens when you try to run ntlm_auth on the command-line? i.e. take the string printed by the server, and keep running it by hand. Play with the various parameters until it works. Then, configure the server to run it with those parameters. I haven't, partly because it works for users, partly because it seemed that some others had done this already and might have been able to tell me what I'm doing incorrectly, and partly because I don't know what you mean by take the string printed by the server. What is the string in this case? --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Note use of %{mschap:User-Name} and
%{mschap:NT-Domain}. Despite this, host/computer.domain
login attempts always fail. Hence, trying to do the
translation manually via a regex and update clauses.
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the string printed by the server, and keep running it by
hand. Play with the various parameters until it works.
Then, configure
the server to run it with those parameters.
Also, here is the 'mschap' section from a recent attempt. Note that the
User-Name attribute is not changed to 'dnps-caplap-4$' nor is the NT-Domain
attribute set to 'col.missouri.edu'. The User-Name attribute is being left
unchanged and the NT-Domain attribute is set to 'col'.
So something in mschap is broken? Perhaps is an old bug? This is version
2.1.7 (built a little over a year ago, Dec. 2009).
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
In the most recent debug I see you posted (16:36 yesterday)
it's failing
because:
[eap] Request is supposed to be proxied to Realm $2. Not doing EAP.
++[eap] returns noop
...
You tried to use a regexp to parse the username (usually a mistake IMHO)
and put the domain bit into the Proxy-To-Realm attribute but
Proxy-To-Realm instructs the server to do just that - which cancels
local authentiction.
Agreed. I commented all that back out this morning while pursuing the mschap
possibility.
Reading back through the thread, it seems like there is some confusion
between domain in the Windows NT/Active Directory sense, and domain
as a Realm, which is a concept used in Radius proxying.
I'm going to take a guess and assume you don't really need to do
proxying, and were just trying to use the realm module to strip off
the host/...domain.com bits, and have gotten a bit tangled.
Yup.
Make sure you're using %{mschap:User-Name} everywhere that NT domain
usernames might exist - in the ldap module filter, for starters.
That's the thing. There isn't anywhere else to set it, that I can see.
At this point, you may find it easier to revert to the default configs
and start from scratch, one change at a time and keeping the
configs in version control.
That's another thing. I specifically created this setup by doing:
cd /etc/raddb/sites-available
cp default campus-eap
And then making only the necessary changes to make it work. Anything I've
changed was done by commenting out the original, copying that line(s), and
making changes. I have changed very, very little from the default.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Also, here is the 'mschap' section from a recent attempt.
I don't see anything. Did you forget an attachment?
Um... yeah. I'm doing a couple of things at once. Here it is.
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for host/dnps-caplap-4.col.missouri.edu with
NT-Password
[mschap]expand: %{Stripped-User-Name} -
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
## NOTE THE NEXT THREE LINES:
[mschap]expand: %{User-Name:-None} -
host/dnps-caplap-4.col.missouri.edu
[mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
- --username=host/dnps-caplap-4.col.missouri.edu
[mschap]expand: --domain=%{mschap:NT-Domain} - --domain=col
[mschap] mschap2: e8
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=665bcdce0a4676a0
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=ac910bfec0608f8f666352ef38ffdd6d6298a98ef35b9b41
So something in mschap is broken? Perhaps is an old bug?
This is version 2.1.7 (built a little over a year ago, Dec. 2009).
I don't think so. That code has been unchanged for a *long* time.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
which you resolve by putting the right entries into proxy.conf
eg
col.missouri.edu {
strip
}
Do you mean:
realm col.missouri.edu {
strip
}
?
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
And what happens when you try to run ntlm_auth on the command-line? i.e. take the string printed by the server, and keep running it by hand. Play with the various parameters until it works. Then, configure the server to run it with those parameters. I dug through the debug output and presumed that you meant, do this from the command line: wbinfo --all-domains - good check that winbind isn't screwy - test passed ntlm_auth --request-nt-key --username='dnps-caplap-4$' --domain=col.missouri.edu --challenge=(pasted-from-debug) --nt-response=(pasted-from-debug) The result was: NT_KEY: (long hex string) If I change the username to a bogus hostname, I get Logon failure (hex error). So I presume that the problem really is just the proper translation of host/computer.domain to username=computer$ domain=domain. Given that I've changed so very few things from the default configs, is there someplace I should look at turning things off that I'm not using that would at least simplify the issue? For example, I see rlm_ldap calls just before Found Auth-Type = EAP, possibly called by the files section just above that. Will commenting out unix and files and anything else in the virtual server that I'm not using confuse or simplify the issue? I don't want to go changing things that are normally relied upon to preprocess something or at least create some usual expected behavior and make it all that much more complicated. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
this output does not match with what you claim to have been using.
please ensure that your ntlm_auth configuration is correct
and the right one is being called.
(this one in debug is looking at %{Stripped-User-Name} etc -
you claimed to be using %{mschap:User-Name}
That's a test that I ran this morning, taking the --username section from the
example ntlm_auth line in the mschap module. Since it didn't work, I set it
back to ${mschap:User-Name}. I pasted the results anyway because they are
exactly the same as when I use %{mschap:User-Name}.
Mschap config has definitely been changed back to %{mschap:User-Name}. Working
on a few tests based on Phil Mayers' last reply.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
[mschap]expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -
--username=host/dnps-caplap-4.col.missouri.edu
That is not %{mschap:User-Name}. i.e. it's misconfigured
Actually, I tried it both ways, since the longer string shown above was the
default.
[mschap]expand: --domain=%{mschap:NT-Domain} -
--domain=col
Ah, yes. Now this I do remember. The %{mschap:NT-Domain} expansion
assumes that in a host account of the form:
host/username.domain.com
...the old-style short domain is domain. Of course, this falls apart
if you have a disjoint DNS/AD namespace:
host/username.subdomain.domain.com
...or if your new-style DNS domain and old-style NT domain
don't match:
host/username.mycompany.com vs. NT domain of CORP -
mycompany != CORP
And this is the case.
AD domain = col.missouri.edu
NT domain = UMC-USERS
The only real solution in this case is to not use the
%{mschap:NT-Domain} expansion - you can't, since there's not
enough info to get the old-style short domain name in all cases.
So, in /etc/raddb/modules/mschap, set (don't include the line
continuation \ I've added):
ntlm_auth = /path/to/ntlm_auth --request-nt-key \
--username=%{mschap:User-Name} --domain=YOURDOMAIN \
--challenge=... --nt-response=...
Good news:
Login OK: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port
573 cli 00-90-4B-2F-80-B4)
+- entering group post-auth {...}
++[exec] returns noop
} # server campus-eap
Sending Access-Accept of id 179 to 128.206.131.253 port 20009
Bad news:
I have a multi-domain environment. If I hard-code the domain in here, then
only users or hosts from that domain will be able to authenticate. How can I
make it recognize the others and behave correctly?
It's fine if I have to write some code using string matching and switch/case.
But I can't restrict access to only one domain.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
So, in /etc/raddb/modules/mschap, set (don't include the line
continuation \ I've added):
ntlm_auth = /path/to/ntlm_auth --request-nt-key \
--username=%{mschap:User-Name} --domain=YOURDOMAIN \
--challenge=... --nt-response=...
More good news (though expected): This change did not break authentication for
users. Both users and computers in DOMAIN (whether specified as
col.missouri.edu or UMC-USERS) can now authenticate.
Still leaves the multi-domain problem, though. :(
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
McNutt, Justin M. wrote: ntlm_auth --request-nt-key --username='dnps-caplap-4$' --domain=col.missouri.edu --challenge=(pasted-from-debug) --nt-response=(pasted-from-debug) The result was: NT_KEY: (long hex string) Exactly. Now that you know what works, the only problem is creating a configuration in FreeRADIUS that *automatically* uses that style of username domain. Sure. I had been assuming that it worked, but this does prove it, thus reducing the number of unknowns in the conversation. Based on the other thread regarding the behavior of the mschap module, here's where things stand. - The User-Name variable is set to host/computer.ad.domain.edu, which is acceptable to ntlm_auth. In my environment, ad.domain may vary and is not set same as the NT domain (or even close). - The mschap module wants to take ad.domain.edu and set the NT-Domain variable to ad, which likely works in some environments, but not here. - The hard-coded domain name in the ntlm_auth command line works, but only for users/hosts in that domain (obviously). So in the short term, I'd like to figure out a way to automatically match the DNS-style domain name based on the User-Name variable and update the NT-Domain variable so ntlm_auth will work for more cases. Depending upon how this is implemented - what I'm about to say may not be necessary - I'd like to see a flag for the mschap module that choose between the NT-style domain guessing (which results in col in this case) and DNS-style domain guessing (which would take everything after the first dot as the domain. I think that might result in a cleaner solution in the long term. I think it should be a flag - set to the current NT-style guessing as the default - to maintain backward compatibility an ease of removal in case it turns out to be a Very Bad Idea Indeed. What do you think? --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
%{mschap:NT-Domain} is not a real variable; it's a dynamic expansion.
There's no attribute you can set, so you'll need to use another
attribute (see my other email)
Gotcha. I'm looking into that now (based on your other e-mail). That's very
likely do-able.
I think it should be a flag - set to the current NT-style guessing
as the default - to maintain backward compatibility an ease of
removal in case it turns out to be a Very Bad Idea Indeed.
What do you think?
I agree. However, as I say - I am pretty sure that long-form won't work
either if you have a disjoint DNS/AD namespace. In that case, sites are
going to have to use locally-defined rules.
I'm not following what you mean about disjoint namespace. You mean the
difference between UMC-USERS and col.missouri.edu? I think of UMC-USERS
as NT namespace whereas I see AD and DNS as the same thing, in this case.
In any event, in the test cases where I hard-coded one of the domain names into
the ntlm_auth string, I used col.missouri.edu (DNS/long form) and this
worked. So I'm confident in that part. I'd just like to see it done
automatically, given a user flag that asks it to do so.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Disjoint namespace is the term used if you have DNS names for windows active directory members which are anything other than: samaccountname.AD domain So, if you give your hosts DNS hostnames of: samaccountname.dept.AD domain ...this is a disjoint namespace. This is a supported configuration in principle - AD itself and most of the Microsoft tools work just fine - but in practice you'll find an awful lot of 3rd party stuff out there assumes that the AD domain starts at the first . in the hostname, and will break if it doesn't. This makes me sad, since the underlying protocols at AD is built on (DNS, Kerberos, LDAP) have plenty of mechanisms for doing the mapping properly. They're just not used. Okay. Fortunately, we're not doing that. Missouri.edu is not an AD domain. Col.missouri.edu however, is. So a dnps-caplap-4.col.missouri.edu is a computer named dnps-caplap-4 in the col.missouri.edu AD domain. So the first dot assumption should work IF you take col.missouri.edu as the domain, rather than just COL (that which is between the first two dots). --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Host-based auth against AD - MOSTLY SOLVED (was: New User and AD Question)
I think you'll have to do that. The tedious bit is matching
the domains in the regexps.
My advice would be to define a local, internal-only attribute in
/etc/raddb/dictionary:
ATTRIBUTE My-NT-Domain3003string
Done.
...then in your ntlm_auth helper, do:
ntlm_auth = ... --domain=%{My-NT-Domain:-DEFAULTVALUE} ...
Done. Works:
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[mschap]expand: --domain=%{My-NT-Domain:-umad.umsystem.edu} -
--domain=umad.umsystem.edu
(We'll get back to that deprecated conditional part later, assuming it's not
part of the problem.)
...and set this in your regexps:
if (User-Name =~ /host[/].+[.]domain.com/) {
update request {
My-NT-Domain = DOMAIN.COM
}
}
elsif (...) {
}
I had this whole long e-mail about how it wasn't working yet the way I expected
and wasn't matching all the time and blah blah blah. I was copying some more
stuff out of the debug output to paste in here when I saw this:
Sending tunneled request
EAP-Message =
0x0208002801686f73742f646e70732d6361706c61702d342e636f6c2e6d6973736f7572692e656475
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = host/dnps-caplap-4.col.missouri.edu
server campus-inner-tunnel {
+- entering group authorize {...}
... campus-inner-tunnel ... I'm working on the wrong virtual server! I
mean, the variables were getting matched and modified, but only on the outer
tunnel (campus-eap)! Curses!
So I moved (*moved*, not *copied*) the if User-Name =~ /stuff/ block to the
'campus-inner-tunnel' virtual server's config just after the suffix and
ntdomain items are called, and bingo! My-NT-Domain is set correctly and the
host is able to get in.
NOTE: This successful test was done AFTER the output you see above that
references umad.umsystem.edu. The domain umad.umsystem.edu is a valid
domain here, but there are no computers in it. I was using that domain so I
could see if the expansion was working, not getting modified, or what. It also
means that it won't work by accident due to my defaults. It all has to work or
it breaks. So I now KNOW that this stuff you guys have been helping me set up
works THE WAY WE ALL THINK IT SHOULD, not just by accident. Totally awesome.
I may set up the eventual production box to have a more tolerant default, but
this was perfect for testing. We'll see.
Anyway, now that this part is working, I'm going to double-check that I haven't
now broken user-based auth. If not, I'm going to try to re-write the pattern
match to actually pull the domain name out as %{1} so it works for all domains
using one bit of code, rather than hard-coding in every domain I deem as
valid.
Whatever it ends up working, I'll respond back to the list, since it sounds
like at least one other person was interested in making this work soon.
Thanks very much for all the help, everyone. This has been enlightening.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Host-based auth against AD - MOSTLY SOLVED (was: New User and AD Question)
Holy crap, it works! I spent some time un-doing as many of the other changes
as I could find (that is, anything that deviates from the default and isn't
shown below). So what follows should be everything needed to make this work.
STEP 1: CUSTOM ATTRIBUTE
=
My advice would be to define a local, internal-only attribute in
/etc/raddb/dictionary:
ATTRIBUTE My-NT-Domain3003string
This was done exactly as shown.
STEP 2: UPDATE MSCHAP MODULE TO USE CUSTOM ATTRIBUTE, IF SET
=
ntlm_auth = ... --domain=%{My-NT-Domain:-DEFAULTVALUE} ...
This was modified slightly to preserve DOMAIN\USER authentication attempts.
Here's what I have working in /etc/raddb/modules/mschap (prettified with the
backslashes only for readability here):
ntlm_auth = /usr/bin/ntlm_auth \
--request-nt-key \
--username=%{mschap:User-Name} \
--domain=%{My-NT-Domain:-%{mschap:NT-Domain}} \
--challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}
Now this generates the following messages:
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang
for details
[mschap]expand: --domain=%{My-NT-Domain:-umad.umsystem.edu} -
--domain=col.missouri.edu
So I changed it to use --domain=%{%{My-NT-Domain}:-%{mschap:NT-Domain}}. That
cleared up the warning messages. You can also set it to default to one domain
or another, or (I suppose) fall through both variables to a default domain. I
haven't bothered with this. Yet.
STEP 3: SET UP REGEX TO GRAB AD-STYLE DOMAIN NAME FOR HOST AUTH
This part goes ONLY IN THE inner-tunnel VIRTUAL SERVER DEFINITION when doing
EAP authentication. At one time, I had these bits in both the outer and inner
virtual servers. In my case, I only care about EAP authentication, so I
reverted the outer tunnel to the defaults and made these changes to the
inner-tunnel virtual server. If you aren't doing EAP, or you aren't sure, you
can add this code to the outer virtual server without problems (as far as I can
tell).
Anyway, here's the code:
#
suffix
# ntdomain
# Match 'host', then a slash, then the computer name
# (stuff that's not a dot), then a dot.
# Grab everything after that and use it as the domain.
if ( User-Name =~ /host\/[^\.]+\.(.+)/ ) {
update request {
My-NT-Domain = %{1}
}
}
The suffix and ntdomain lines are shown for context, to show *where* I have
this code, and also to demonstrate that this works with the ntdomain part
commented out. Any shenanigans with THIS\THAT User-Name values are handled
correctly by mschap, so it's unnecessary to play with it here.
STEP 4: IT WORKS, BUT GOOD LORD, *WHY*?
IF IT'S A HOST ACCOUNT:
- Anything after the first dot in the computer's FQDN is pulled out
and assigned to the custom attribute My-NT-Domain.
- User-Name is still host/COMPUTER.DOMAIN
- My-NT-Domain is DOMAIN
- %{mschap:NT-Domain} is in a don't care state. My-NT-Domain
overrides it.
- ntlm_auth is called and My-NT-Domain is used for the --domain part,
since it has a value.
- It works!
IF IT IS NOT A HOST ACCOUNT:
- It is extremely unlikely that the User-Name variable will match
host/foo.bar, so My-NT-Domain remains unset.
- With My-NT-Domain unset, ntlm-auth uses %{mschap:NT-Domain} instead,
which is what we were doing with only user accounts anyway.
- It works!
IF YOU LOGGED INTO A WINDOWS MACHINE USING A LOCAL ACCOUNT:
If it's XP, this isn't going to work. Even though the XP machine is a
member of the domain and has successfully authenticated, XP will switch over to
the user ID you used to log in. Since that's a local account, this will fail.
WORKAROUND (XP): You can go into View Wireless Networks, select the
network, click Connect. Wait a few seconds and a bubble will appear above
the systray prompting you for credentials. I used DOMAIN\USER format in the
User field, my password in the obvious place, and left the Domain field
blank. After that, whenever I logged in using that same local account, XP
cached my domain user's credentials for logging into the network.
WORKAROUND (Vista/Win7): I believe Windows Vista and newer can be
configured so that the computer does not try to re-authenticate upon user
login. That is, it can be made to log in using the AD host account and just
stay there forever, thus enabling the use of whatever local accounts you like.
I HAVE ONLY READ ABOUT THIS AND NEVER TESTED IT. I plan to work on this next.
I'll post my results, if no one else beats me to it.
Many thanks to everyone on the freeradius-users
RE: New User and AD Question
Could you send us the output of radiusd -X for a computer auth?
Done. (See previous message with attachment.)
If it works for users it should just work for machines.
Perhaps under certain circumstances, but not for us, apparently. Perhaps it's
the significant difference between the NT-style domain name and the AD-style
domain name. Perhaps it's the multi-domain AD structure. I don't know. I do
know that users can successfully authenticate - IF they supply a domain as part
of their credentials - and computers cannot. Yet.
You'll need to make sure you have samba 3.0.23 [IIRC] [which you seem to
have] and your ntlm_auth line has to have an appropriately formatted
User-Name bit e.g. %{mschap:User-Name} (the mschap module will take
host\\computer.domain.name and turn it in to computer$ automatically).
Yup. Samba 3.5.4. Here's the ntlm_auth line used (from mschap module):
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name}
--domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Interestingly enough, the modules/ntlm_auth file contains something completely
different, though I don't think it is in play:
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name}
--password=%{User-Password}
}
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) {
Something's wrong with the regex here. From the config:
if ( User-Name =~ /^host\/([^\.]+)\.(\S+)$/i ) {
From radiusd -X:
User-Name = host/dnps-caplap-4.col.missouri.edu
...
? Evaluating (User-Name =~ /^host\/([^\.]+)\.(\S+)$/i) - FALSE
I removed the ^ and $ anchors and got better results, but still not working:
+- entering group authorize {...}
++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i )
? Evaluating (User-Name =~ /host\/([^\.]+)\.(\S+)/i) - TRUE
++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) - TRUE
++- entering if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {...}
+++[control] returns notfound
++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound
++[preprocess] returns ok
Here's the code it's trying to execute. There must be something wrong with the
update control section:
if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
update control {
Proxy-To-Realm := %{2}
}
}
This looks related:
WARNING: You set Proxy-To-Realm = %{2}, but the realm does not exist!
Cancelling invalid proxy request.
I changed the %{2} to $2, but it does basically the same thing:
WARNING: You set Proxy-To-Realm = $2, but the realm does not exist! Cancelling
invalid proxy request.
Here's more context as to what it's doing. Basically, the User-Name and
NT-Domain (nor realm) are getting changed into something usable by ntlm_auth.
rad_recv: Access-Request packet from host 128.206.131.253 port 20007, id=9,
length=209
NAS-Port-Id = AP85/1
Calling-Station-Id = 00-90-4B-2F-80-B4
Called-Station-Id = 5C-E2-86-00-15-C0:Eddies Office
Service-Type = Framed-User
EAP-Message =
0x0201002801686f73742f646e70732d6361706c61702d342e636f6c2e6d6973736f7572692e656475
User-Name = host/dnps-caplap-4.col.missouri.edu
NAS-Port = 479
NAS-Port-Type = Wireless-802.11
NAS-IP-Address = 128.206.131.253
NAS-Identifier = nortel
Message-Authenticator = 0xa6b9a66a7a99f19b8adc326da2ad0052
server campus-eap {
+- entering group authorize {...}
++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i )
? Evaluating (User-Name =~ /host\/([^\.]+)\.(\S+)/i) - TRUE
++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) - TRUE
++- entering if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {...}
+++[control] returns notfound
++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = host/dnps-caplap-4.col.missouri.edu, looking
up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] No '\' in User-Name = host/dnps-caplap-4.col.missouri.edu, looking
up realm NULL
[ntdomain] No such realm NULL
++[ntdomain] returns noop
[eap] Request is supposed to be proxied to Realm $2. Not doing EAP.
++[eap] returns noop
++[unix] returns notfound
[files] expand: %{Client-IP-Address} - 128.206.131.253
rlm_ldap: Entering ldap_groupcmp()
[files] expand: DC=edu - DC=edu
[files] expand:
(|(sAMAccountName=%{User-Name})(userPrincipalName=%{User-Name})) -
(|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in DC=edu, with filter
(|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu))
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand: %{Client-IP-Address} - 128.206.131.253
rlm_ldap: Entering ldap_groupcmp()
[files] expand: DC=edu - DC=edu
[files] expand:
(|(sAMAccountName=%{User-Name})(userPrincipalName=%{User-Name})) -
(|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in DC=edu, with filter
(|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu))
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
WARNING: You set Proxy-To-Realm = $2, but the realm does not exist! Cancelling
invalid proxy request.
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Login incorrect: [host/dnps-caplap-4.col.missouri.edu] (from client
test-wss2380 port 479 cli 00-90-4B-2F-80-B4)
} # server campus-eap
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -
host/dnps-caplap-4.col.missouri.edu
attr_filter: Matched entry DEFAULT at line
RE: New User and AD Question
this stuff doesnt touch the User-Name - it just looks at it and alters the servers proxy choosing behaviour which is what makes it useful and powerful. It's not doing it correctly yet. See previous message. the language is 'unlang' - its a built in parser in freeradius - making the server very powerful by being able to actually put coding logic into the config filesin short its brilliant. 'man unlang' for more info Yup. I've been reading that, but it's a lot to digest in a short amount of time. Working on that. radiusd -XC likes it. Hopefully, I'll be able to tell if one or both of these schemes works fairly early tomorrow. I was going to suggest a session of radiusd -X because in the output you can actually SEE the logic decisions being made - which really really helps with dealing with false/true hits where you might not expect them.. the old 'why didnt that match?' question gets answered very quickly I sent a relevant snippet in my last message (unredacted in any way). The worst part of what I sent just now is that it was no longer attempting EAP. LDAP auth for the host/blah.blah will never work, since the computer doesn't have a cleartext password. It's going to have to go through mschap if it's going to succeed. I think. (Feel free to tell me I'm nuts...) --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Proxy-To-Realm := %{2}
Proxy-To-Realm := %{2}
Yeah, I just figured that out. :/ Adjusting and re-testing.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
update control {
Proxy-To-Realm := %{2}
}
}
Part of my troubleshooting involved changing the code to this:
if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
switch %{2} {
case 'col.missouri.edu' {
update control {
Proxy-To-Realm := 'UMC-USERS'
}
}
case 'um.umsystem.edu' {
update control {
Proxy-To-Realm := 'UM-USERS'
}
}
}
}
Now it matches, but something about the regex is still wrong (mainly, the
multi-character captures) because it's not expanding correctly. Short version:
...
User-Name = host/dnps-caplap-4.col.missouri.edu
...
+- entering group authorize {...}
++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i )
? Evaluating (User-Name =~ /host\/([^\.]+)\.(\S+)/i) - TRUE
++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) - TRUE
++- entering if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {...}
expand: %{2} - s
+++- entering switch %{2} {...}
- switch %{2} returns notfound
+++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound
++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound
++[preprocess] returns ok
So... %{2} expands to 's', which could be the 's' in 'dnps' or one of the 's'
in 'missouri'. Definitely going to have to re-write this regex somewhat. :/
Suggestions welcome. Here's the logic behind the original regex:
# host, a slash, one or more non-dot characters, a dot,
# one or more non-whitespace chars.
I'd like to use the Beginning Of Line and End Of Line anchors as well, but I'm
going to have to figure out why the rest of it is failing before I can add
those restrictions.
Btw, thanks for the help so far. Much appreciated!
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Should I post the debug log here, or a pastebin, or...? --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr eeradius.org] On Behalf Of Alan DeKok Sent: Sunday, February 27, 2011 1:51 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question McNutt, Justin M. wrote: New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? http://deployingradius.com/documents/configuration/active_dire ctory.html It's pretty much the same as normal user authentication. PEAP goes in, authentication goes out, never a miscommunication. :) The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine for all users in all domains (authenticated via ntlm_auth) EXCEPT for the host\\computer.domain.name users (the computer accounts). I'd like to make this work, partly because a large number of the failed login attempts in my logs are from hosts that are valid domain members. So... what goes wrong? Sooo... help? What's the basic idea behind making this work? Post the debug log from a failed session. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Removing the shared secrets, LDAP user passwords, etc. was the redacting I was talking about. That, and removing the thousands of messages related to other users' auth attempts, if I had had to do this on a production server. Fortunately, that wasn't necessary. I was able to get a valid debug log from the test server. --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr eeradius.org] On Behalf Of Sallee, Stephen (Jake) Sent: Sunday, February 27, 2011 4:05 PM To: FreeRadius users mailing list Subject: RE: New User and AD Question Two comments about posting logs ... #1 Post the entire log of radiusd -X (NOT -XX, that has a bunch of timestamps we don't need) and don't redact anything that's not privileged info, you can very easily remove the portion of the log that holds the answer to your questions. #2 your output of radiusd -X WILL CONTAIN your SSL cert passwords in CLEAR TEXT! So make sure you remember to scrub them of any info you don't want becoming public. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius .org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.fr eeradius.org] On Behalf Of McNutt, Justin M. Sent: Sunday, February 27, 2011 2:05 PM To: FreeRadius users mailing list Subject: RE: New User and AD Question McNutt, Justin M. wrote: New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? http://deployingradius.com/documents/configuration/active_directory.ht ml It's pretty much the same as normal user authentication. PEAP goes in, authentication goes out, never a miscommunication. :) If I recall, we used this walkthrough to get user authentication to work (which it does), but it still doesn't work for host authentication. This is keeping in mind that users' creds come across as NT-LIKE-DOMAIN\\USERID but hosts appear as host\\computer.ad.domain.name AND that NT-LIKE-DOMAIN and ad.domain.name do not look at all alike. I'll re-read the link, though, just to be sure. So... what goes wrong? For users, it's a number of things. Bad passwords. Attempts to use EAP-TLS or EAP-MD5 (which we don't support). Misspelled or missing domain names. That sort of thing. For the hosts, it Just Doesn't Work. I have yet to determine why. (More research.) Post the debug log from a failed session. Will do. (Pulling just the relevant bits out will be difficult, given the verbosity of 'radiusd -X' but I have no shortage of hosts attempting this, so it shouldn't take long.) --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
I don't have a modules/prefix file. I have a preprocess file, which is called
at the top of the authorize section of the campus-eap virtual server (this is
the default, I believe).
From the debug log, request 9:
server campus-eap {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = host/doit-tcb-agl.col.missouri.edu, looking up
realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
The preacct section of raddb/sites-available/campus-eap has this as well.
Several files make mention of the realm module. In this case, I'm trying to
use DOIT-TCB-AGL as the user name and COL.MISSOURI.EDU as the realm (or
domain). What I'm not clear on is how to code a realm { } section to match
this:
host/$USER.$REALM where the first dot is a delimiter, the remaining dots are
part of the realm, and the prefix host/ is only used to identify that this
section should be used to process the ID.
Or am I going off in the completely wrong direction here?
--J
-Original Message-
From:
freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius
.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr
eeradius.org] On Behalf Of Alan Buxey
Sent: Monday, February 28, 2011 3:16 PM
To: FreeRadius users mailing list
Subject: Re: New User and AD Question
hi,
in your campus-eap virtual server you are not making a call to
eg the prefix module (put straight after the preprocess module)
ie
preprocess
suffix
ntdomain
do this in the authorization and preacct sections to handle
these better
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
I'll try it, but I've read it, and I don't see how this (from realm module):
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = \\
}
Is going to apply to this:
User-Name = host/doit-tcb-agl.col.missouri.edu
--J
-Original Message-
From:
freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius
.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr
eeradius.org] On Behalf Of Alan Buxey
Sent: Monday, February 28, 2011 4:42 PM
To: FreeRadius users mailing list
Subject: Re: New User and AD Question
Hi,
I don't have a modules/prefix file. I have a preprocess
file, which is called at the top of the authorize section
of the campus-eap virtual server (this is the default, I believe).
just add ntdomain as i said
read the realm module for description about fall through
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Attempted and failed. Can authenticate users, but host authentication still fails. Uncommented ntdomain from both the authorize and preacct sections of /etc/raddb/sites-available/campus-eap. Same behavior as before. --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Monday, February 28, 2011 4:42 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question Hi, I don't have a modules/prefix file. I have a preprocess file, which is called at the top of the authorize section of the campus-eap virtual server (this is the default, I believe). just add ntdomain as i said read the realm module for description about fall through alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question: OT hijack
Yes, and no, respectively. My wife has taken the kids there, but I have never
been.
--J
-Original Message-
From:
freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius
.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr
eeradius.org] On Behalf Of Gary Gatten
Sent: Monday, February 28, 2011 5:34 PM
To: 'freeradius-users@lists.freeradius.org'
Subject: Re: New User and AD Question: OT hijack
First, is your last name really McNutt? And, have you ever
been by the house near MU that has camels and zebras in the
front yard?
- Original Message -
From: McNutt, Justin M. [mailto:mcnu...@missouri.edu]
Sent: Monday, February 28, 2011 04:52 PM
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: RE: New User and AD Question
I'll try it, but I've read it, and I don't see how this (from
realm module):
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = \\
}
Is going to apply to this:
User-Name = host/doit-tcb-agl.col.missouri.edu
--J
-Original Message-
From:
freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius
.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr
eeradius.org] On Behalf Of Alan Buxey
Sent: Monday, February 28, 2011 4:42 PM
To: FreeRadius users mailing list
Subject: Re: New User and AD Question
Hi,
I don't have a modules/prefix file. I have a preprocess
file, which is called at the top of the authorize section
of the campus-eap virtual server (this is the default, I believe).
just add ntdomain as i said
read the realm module for description about fall through
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
font size=1
div style='border:none;border-bottom:double windowtext
2.25pt;padding:0in 0in 1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system.
/font
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
ignore me. i'm tired. yes, this is a little bit of pain.
I understand. I wondered about that when I saw the ac.uk. You must be working
hours similar to mine. (That is, all of them.)
you'll be best off using a bit of unlang eg
(put this in the authorize section of your main virtual server)
if ( User-Name =~ /^host\//i ) {
if ( User-Name =~ /\\.col\\.missouri\\.edu$/i ) {
update control {
Proxy-To-Realm := col.missouri.edu
}
}
}
this will then throw the packet to the the part of proxy.conf that has
col.missouri.edu
a bit of regex foo and you can use %{1} return operators etc
rather than
hardcode things if you want alternatively you can deal
with what you know as yours
and then identity what isnt yours and reject or proxy them
machine auth can be pretty nasty...
That looks like Perl. Perl, I can deal with. I do have multiple domains to
attack. If I can come up with something generic that works for at least two
domains, I'll post it here. Looks predictable enough. I'm thinking along the
lines of something like this:
# BOL, host, a slash, one or more non-dot characters, a dot,
# one or more non-whitespace chars, EOL.
if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) {
update control {
Proxy-To-Realm := %{2};
}
}
I have two toddlers crawling on me at the moment (literally), so I haven't
checked unlang syntax, but from Perl, that's more or less what it would look
like. %{1} would contain the host name. Do I need to update the User-Name to
just %{1} and/or update other fields related to the realm (domain)?
It may be difficult to try this before tomorrow morning, since I'm now off
site, but I'll at least work at it until radiusd -X is happy with it.
Thanks!
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
# BOL, host, a slash, one or more non-dot characters, a dot,
# one or more non-whitespace chars, EOL.
if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) {
switch %{2} {
case 'my-domain-string-1' {
update control {
Proxy-To-Realm := 'my-domain-1'
}
}
case 'my-domain-string-2' {
update control {
Proxy-To-Realm := 'my-domain-1'
}
}
case 'my-domain-string-3' {
update control {
Proxy-To-Realm := 'my-domain-2'
}
}
case {
# Domain not recognised
}
}
}
I took this code and modified it, assuming that if the code I wrote before
(which tries to use COL.MISSOURI.EDU as the realm) doesn't work, I can use
the code above to take FOO.MISSOURI.EDU and proxy to the NT domain FOO-USERS,
which is more than just massaging the User-Name field. The switch statement
will be necessary to translate the AD domain into the correct NT domain.
radiusd -XC likes it. Hopefully, I'll be able to tell if one or both of
these schemes works fairly early tomorrow.
Thanks!
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New User and AD Question
New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? I have Googled and Googled, but only found references to the fact that it *can* be done (mostly from archives of this list), but little reference on HOW to do it, other than that it has something to do with editing the realms file. I also went to #freeradius on FreeNode, but it seemed there was rarely anyone in the channel. So here I am. I'm running FreeRADIUS 2.1.7 from the RHEL 5 RPM (freeradius2-2.1.7-7.el5). It's running on an RHEL 5 virtual machine that is a member of an AD domain via Samba 3.5.4 (which was required to talk to the 2008R2 domain controllers). We have a multi-domain, single forest environment. I'm running two virtual servers, based on the defaults. I have the campus-main virtual server that is pretty much the exact same as the default, except that I have LDAP authentication enabled. This works perfectly and is able to authenticate users for all domains. I also have the campus-eap and campus-inner-tunnel virtual servers for EAP authentication that are the same as the default and inner-tunnel servers except for the names. (I copied them so I could make changes to the campus-XXX virtual servers and still have the originals for reference.) The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine for all users in all domains (authenticated via ntlm_auth) EXCEPT for the host\\computer.domain.name users (the computer accounts). I'd like to make this work, partly because a large number of the failed login attempts in my logs are from hosts that are valid domain members. Sooo... help? What's the basic idea behind making this work? Thanks! Justin McNutt Network Systems Analyst - Ninja DNPS, Mizzou Telecom (573) 882-5183 Do you have a concussion? Ping is NOT a service. You don't need it. Use a real test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
McNutt, Justin M. wrote: New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? http://deployingradius.com/documents/configuration/active_directory.html It's pretty much the same as normal user authentication. PEAP goes in, authentication goes out, never a miscommunication. :) If I recall, we used this walkthrough to get user authentication to work (which it does), but it still doesn't work for host authentication. This is keeping in mind that users' creds come across as NT-LIKE-DOMAIN\\USERID but hosts appear as host\\computer.ad.domain.name AND that NT-LIKE-DOMAIN and ad.domain.name do not look at all alike. I'll re-read the link, though, just to be sure. So... what goes wrong? For users, it's a number of things. Bad passwords. Attempts to use EAP-TLS or EAP-MD5 (which we don't support). Misspelled or missing domain names. That sort of thing. For the hosts, it Just Doesn't Work. I have yet to determine why. (More research.) Post the debug log from a failed session. Will do. (Pulling just the relevant bits out will be difficult, given the verbosity of 'radiusd -X' but I have no shortage of hosts attempting this, so it shouldn't take long.) --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
