Re: freeradius with NTLM authentication
: checkrad will probably not work!
++[radutmp] returns noop
[sql] expand: %{User-Name} - rsa
[sql] sql_set_user escaped user -- 'rsa'
[sql] expand: %{Acct-Delay-Time} -
[sql] ... expanding second conditional
[sql] expand:INSERT INTO radacct
(acctsessionid,acctuniqueid, username, realm,
nasipaddress, nasportid, nasporttype,
acctstarttime,acctstoptime, acctsessiontime,
acctauthentic,connectinfo_start, connectinfo_stop,
acctinputoctets, acctoutputoctets, calledstationid,
callingstationid, acctterminatecause, servicetype,
framedprotocol, framedipaddress, acctstartdelay,
acctstopdelay,xascendsessionsvrkey) VALUES
('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
'%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}',
'%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL,
'0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0',
'0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
'%{Service-Type}', '%{Framed-Protocol}',
'%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
[attr_filter.accounting_response] expand: %{User-Name} - rsa
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 41 to 193.188.X.X port 5028
Finished request 1.
Cleaning up request 1 ID 41 with timestamp +123
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 40 with timestamp +123
Ready to process requests.
Regards,
Ramzi
.
On Fri, Oct 22, 2010 at 1:06 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 10/21/2010 10:40 PM, Ramzi Abdallah wrote:
I have configured freeradius version 2.1.9 with mySQL backend and Active
Directory integration (NTLM) for the purpose of using it to authenticate
users against firewall protected policies.
So far it’s all working. When a user hits a firewall protected policy he
is prompted to authenticate after which the radius query the AD for the
username and password. If the user credentials are correct access is
granted.
What is prompting here? How is the firewall asking the user for a password?
Is this web intercept?
If so, then the NAS is the firewall, and when a user makes an HTTP request,
it is asking for their credentials via some kind of HTTP auth, then sending
them to the radius server, yes?
Also, FreeRadius can't be querying AD for the password. The LDAP server
embedded into Active Directory will not give up the password. How have you
got FreeRadius configured - be precise, or better yet, post the debug output
of a successful request.
The bit that I cannot figure out is how to let the Radius use NTLM to
check if the user is already logged in the domain controller and if so
not to prompt him for his username and password via the firewall captive
portal. Is that doable or I missed the idea behind the Active Directory
integration?
I'm not sure I really understand what you want, but if I do, it's
impossible. If you can give more details about your setup I can answer
further, but basically the firewall is doing the prompting - the firewall
would have to implement NTLM auth, not FreeRadius.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius with NTLM authentication
I have configured freeradius version 2.1.9 with mySQL backend and Active Directory integration (NTLM) for the purpose of using it to authenticate users against firewall protected policies. So far it’s all working. When a user hits a firewall protected policy he is prompted to authenticate after which the radius query the AD for the username and password. If the user credentials are correct access is granted. The bit that I cannot figure out is how to let the Radius use NTLM to check if the user is already logged in the domain controller and if so not to prompt him for his username and password via the firewall captive portal. Is that doable or I missed the idea behind the Active Directory integration? thank you Ramzi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Netscreen 208 and Freeradius
Hi,
I am trying to configure netscreen 208 firewall to authenticate and
account for users traffic when they login via the captive portal. I
have installed freeradius 2.1.9 on Fedora core 13.
in the /etc/raddusers I added the bellow entry for rsa
rsa Cleartext-Password := nopass
Service-Type = Framed-User
in the /etc/raddb/clients.conf I added
client 193.188.129.33 {
nastype = other
secret = 12345
shortname = vdk-u-nsaaa
when user rsa logs in to the captive portal the authentication is
successful however user rsa still can not access the internet
rad_recv: Access-Request packet from host 193.188.129.33 port 49715,
id=1, length=49
User-Name = rsa
User-Password = nopass
NAS-IP-Address = 193.188.129.33
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry rsa at line 70
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password nopass
[pap] Using clear text password nopass
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 1 to 193.188.129.33 port 49715
Service-Type = Framed-User
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 1 with timestamp +135
Ready to process requests.
thank you for your help
Regards,
Ramzi
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho and radtest
hi,
I installed FreeRADIUS Version 2.1.7 from the RPM package that is included with
Fedora core 12. The server starts without errors and authentication is working
fine. The problem I am having is with the radwatch displays no output and
radtest fails.
output of the radtest
-
[r...@dia ~]# radtest rsa hello localhost 1812 testing123
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
radclient: no response from server for ID 42 socket 3
[r...@dia ~]#
output of radwho
-
[r...@dia raddb]# radwho
Login Name What TTY When FromLocation
[r...@dia raddb]#
[r...@dia ~]# radwatch
A radiusd process already exists
[r...@dia ~]#
I have also attached the output of radiusd -X
any help would be greatly appreciated
_
Windows Live Hotmail: Your friends can get your Facebook updates, right from
Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009FreeRADIUS Version 2.1.7, for host i386-redhat-linux-gnu, built on Sep 16 2009
at 08:28:14
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/control-socket
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir =
RE: radwho and radtest
thank you alan for the quick reply. It worked just fine. Now I am still facing the problem with the radwho and radlast. Any idea Regards, Ramzi Date: Wed, 9 Dec 2009 20:00:29 + From: a.l.m.bu...@lboro.ac.uk To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org Subject: Re: radwho and radtest ihi, accoridng to your output, it looks like localhost is mapping to ::1 which is the local box IPv6 address (like 127.0.0.1 is in IPv4 world) by default, FreeRADIUS wont be listing to IPv6 interface...if you configure it so that it is then this will work - otherwise change you command to eg radtest rsa hello 127.0.0.1 1812 testing123 or change your hosts file so that localhost maps to 127.0.0.1 first! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Keep your friends updated—even when you’re not signed in. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
Thank you gera, attached are copies for the users and clients.conf config
files. Normally when I run radwho and radlast I am authenticated with user rsa
so I should at least see my login :)
Regards,
Ramzi
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
Subject: Re: radwho and radtest
From: g...@gera.me
Date: Wed, 9 Dec 2009 13:09:57 -0700
A copy of the relevant parts of your users and clients config files would be
great.
If no body's logged in, it's fine if you see nothing on the radwho output
On Wednesday 09 December 2009 12:41:48 pm Ramzi Abdallah wrote:
hi,
I installed FreeRADIUS Version 2.1.7 from the RPM package that is included
with Fedora core 12. The server starts without errors and authentication
is working fine. The problem I am having is with the radwatch displays no
output and radtest fails.
output of the radtest
-
[r...@dia ~]# radtest rsa hello localhost 1812 testing123
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Sending Access-Request of id 42 to ::1 port 1812
User-Name = rsa
User-Password = hello
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
radclient: no response from server for ID 42 socket 3
[r...@dia ~]#
output of radwho
-
[r...@dia raddb]# radwho
Login Name What TTY When FromLocation
[r...@dia raddb]#
[r...@dia ~]# radwatch
A radiusd process already exists
[r...@dia ~]#
I have also attached the output of radiusd -X
any help would be greatly appreciated
_
Windows Live Hotmail: Your friends can get your Facebook updates, right
from Hotmail®.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/s
ocial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:0920
09
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail
you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010#
# Deny access for a specific user. Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser Auth-Type := Reject
# Reply-Message = Your account has been disabled.
#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULTGroup == disabled, Auth-Type := Reject
# Reply-Message = Your account has been disabled.
#
#
rsa Cleartext-Password := hello
Reply-Message = Hello, %{User-Name}
#
#
# This is a complete entry for steve. Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
#steve Cleartext-Password := testing
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# Framed-IP-Netmask = 255.255.255.0,
# Framed-Routing = Broadcast-Listen,
# Framed-Filter-Id = std.ppp,
# Framed-MTU = 1500,
# Framed-Compression = Van-Jacobsen-TCP-IP
#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#John Doe Cleartext-Password := hello
# Reply-Message = Hello, %{User-Name}
#
# Dial user back and telnet to the default host for that port
#
#DegCleartext-Password := ge55ged
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = 9,5551212,
# Login-Service = Telnet,
# Login-TCP-Port = Telnet
#
# Another complete entry. After the user dialbk has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host timeshare1.
#
#dialbk Cleartext-Password := callme
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
# Callback-Number = 9,1-800-555-1212
#
# user swilson will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file
RE: radwho and radtest
thanks Ivan, when I run in debug mode I get the bellow errors
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID
MAY be inconsistent
[acct_unique] Hashing ',Client-IP-Address = 193.188.129.17,NAS-IP-Address =
193.188.129.17,Acct-Session-Id = 00550003,User-Name = rsa'
[acct_unique] Acct-Unique-Session-ID = cc3ac6adce99a1dd.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - rsa
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
Date: Wed, 9 Dec 2009 21:32:55 +
Subject: RE: radwho and radtest
From: t...@kalik.net
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
thank you alan for the quick reply. It worked just fine. Now I am still
facing the problem with the radwho and radlast. Any idea
Yes, you have sent an authentication request. No accounting. So there is
nothing for radwho to show. It displays accounting information. In case
you weren't aware, radius server doesn't generate accounting information.
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
great, then I have to contact the fortinet guys to see why this is happening Date: Wed, 9 Dec 2009 22:08:56 + Subject: RE: radwho and radtest From: t...@kalik.net To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org [acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent ... rlm_radutmp: No NAS-Port seen. Cannot do anything. Nothing misterious in those messages. NAS is not sending NAS-Port and radutmp needs it to work. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
I get this when I login to the firewall
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
Subject: Re: radwho and radtest
From: g...@gera.me
Date: Wed, 9 Dec 2009 15:28:30 -0700
Maybe I'm missing something, but is this shown while you do use the radtest
command? If so, then it's normal that you get nothing on radwho.
If you get nothing on radwho when using the NAS (and you didn't went so far
from the default freeradius configuration), then indeed you still need to
configure it to send accounting data to radius.
On Wednesday 09 December 2009 02:58:13 pm Ramzi Abdallah wrote:
thanks Ivan, when I run in debug mode I get the bellow errors
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique
ID MAY be inconsistent [acct_unique] Hashing ',Client-IP-Address =
193.188.129.17,NAS-IP-Address = 193.188.129.17,Acct-Session-Id =
00550003,User-Name = rsa' [acct_unique] Acct-Unique-Session-ID =
cc3ac6adce99a1dd.
++[acct_unique] returns ok
[suffix] No '@' in User-Name = rsa, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[files] returns noop
[radutmp] expand: /var/log/radius/radutmp - /var/log/radius/radutmp
[radutmp] expand: %{User-Name} - rsa
rlm_radutmp: No NAS-Port seen. Cannot do anything.
rlm_radumtp: WARNING: checkrad will probably not work!
++[radutmp] returns noop
Date: Wed, 9 Dec 2009 21:32:55 +
Subject: RE: radwho and radtest
From: t...@kalik.net
To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org
thank you alan for the quick reply. It worked just fine. Now I am still
facing the problem with the radwho and radlast. Any idea
Yes, you have sent an authentication request. No accounting. So there is
nothing for radwho to show. It displays accounting information. In case
you weren't aware, radius server doesn't generate accounting information.
Ivan Kalik
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/so
cial-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:09201
0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: radwho and radtest
hello Ivan attached is the complete debug log Date: Wed, 9 Dec 2009 23:28:49 + Subject: RE: radwho and radtest From: t...@kalik.net To: rabdal...@pobox.com; freeradius-users@lists.freeradius.org I get this when I login to the firewall It would help if you wouldn't edit the debug. Post the whole thing request + processing (both for authentication and accounting). Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Windows Live: Keep your friends up to date with what you do online. http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010 putty.log Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
