FreeRadius not sending access-deny
Hello, I recently discovered that my Freeradius 1.1.7 install is no longer sending access-deny messages for bad passwords. This causes the device to mark the radius server as down and move on to the next one, or just marks it as down. I know its probably something I did in the config, but for the life of me can't figure out how I managed to cause that. Everything else on the install works great, just for the exception of no access-deny packets ever move. Any ideas? Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius not sending access-deny
That setting was at the default of 1, I tried setting to zero, no affect.
Here is the debug output with first a successful user followed by the same
user with a bad pwd.
--
rad_recv: Access-Request packet from host 10.15.251.232:1387, id=6,
length=62
User-Name = test
User-Password = test
Message-Authenticator = 0x0adeae0c4cb8659e2aaede3adb6009a3
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_realm: No '\' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module ntdomain returns noop for request 0
users: Matched entry DEFAULT at line 1
users: Matched entry test at line 33
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=***,dc=**,dc=**'
radius_xlat: '(uid=test)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.2.16.156:389, authentication 0
rlm_ldap: bind as cn=ITDRADIUSC,ou=USERS,ou=ITD,dc=nd,dc=gov/X27wireless45
to 10.2.16.156:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=***,dc=nd,**=***, with filter (uid=test)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test
radius_xlat: '(uid=test)'
radius_xlat: 'ou=***,dc=**,dc=***'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=***,**=nd,**=***, with filter (uid=test)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module returns notfound for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Login OK: [test] (from client NetworkEquipment port 0)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 0
radius_xlat: '/var/log/radius-switch/radacct-switch/
10.15.251.232/reply-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/reply-detail-20080829
modcall[post-auth]: module reply_log returns ok for request 0
modcall: leaving group post-auth (returns ok) for request 0
Sending Access-Accept of id 6 to 10.15.251.232 port 1387
NS-Admin-Privilege = Root-Admin
APC-Service-Type = 1
Service-Type = Administrative-User
Cisco-AVPair = shell:priv-lvl=15
Filter-Id = unlim
Extreme-Shell-Command = Enable
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--
rad_recv: Access-Request packet from host 10.15.251.232:1337, id=5,
length=62
User-Name = test
User-Password = test2
Message-Authenticator = 0x9bb6290c9d5e7dcffeeafe87e2c65b40
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829'
rlm_detail:
/var/log/radius-switch/radacct-switch/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius-switch/radacct-switch/
10.15.251.232/auth-detail-20080829
modcall[authorize]: module auth_log returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_realm: No '\' in User-Name = test, looking up realm NULL
Machine auth without cert - EAP-PEAP/MSCHAPV2
I've been experimenting with machine auth without using a cert, but I seem to be stuck on the fact that FreeRadius will not authenticate a local user. I see the request come across through debugging with a username of host/mymachine.mydomain.com, and no password, and in my users file I have host/mymachine.mydomain.com Cleartext-Password=, Auth-Type := Local, MS-CHAP-Use-NTLM-Auth := 0 Filter-ID = WIRELESS-USER, Fall-Through = 0 but for some reason it never authenticates... I've tried every both without the MS-CHAP option, that doesn't seem to change it. Also tried User-Password instead of cleartext password, no change. Any suggestions? Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP test client?
JRadius simulator will do MSCHAPv2 very well... http://jradius.org/wiki/index.php/JRadiusSimulator On 7/12/07, Hugh Messenger [EMAIL PROTECTED] wrote: Phil Mayers said: On Thu, 2007-07-12 at 11:46 -0500, Hugh Messenger wrote: Has anyone ever come across a RADIUS test client which supports MSCHAP? If you mean plain MS-CHAP, you can do it with radclient. Since, with plain MS-CHAP, the NAS generates the challenge and sends it to the radius server with the response. Since the response for any given challenge is the same, you can just capture a chal/resp pair (e.g. in debug mode) and replay it an arbitrary number of times. Ah HAH! That is exactly what I needed, thankyou. If you mean EAP/MS-CHAP (or EAP/PEAP/MS-CHAP) you can use eapol_test from wpa_supplicant. That's next month, as part of our baby-steps migration to FR. For now it's just our PPPOE clients. Then dialup. Then funky stuff. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [meta] admin tools and utilities
Haven't tried ntradping, but jradiussimulator does a great job of being a simulated radius client. http://jradius.org/wiki/index.php/JRadiusSimulator On 6/28/07, Hugh Messenger [EMAIL PROTECTED] wrote: Forgive me if meta-discussions are frowned upon. I was just wandering what tools and utilities (not shipped with freeradius) people find useful in day to day admin and testing. My vote goes to NTRadPing, a fully featured Windows take on the standard UN*X radping. Freebie, from http://www.dialways.com/download/. Very intuitive UI for creating, saving, loading and executing auth and accounting queries. Configurable dictionary file. I'd be lost without it. Something I'd really like to find is an 'unsolicited' test service, simulating a NAS listening on 1700, to help diagnose disconnect request issues. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and users file
I'm having the same problem on 1.1.6, but when I try the cobb Cleartext-Password := secret as below, i get this when starting... /etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown attribute Cleartext-password Errors reading /etc/raddb-test/users radiusd.conf[1052]: files: Module instantiation failed. radiusd.conf[1654] Unknown module files. radiusd.conf[1589] Failed to parse authorize section. On 6/20/07, Alan DeKok [EMAIL PROTECTED] wrote: Matt Cobb wrote: Tried: cobb Cleartext-Password:=secret same result: Please post the ENTIRE debug output. Trust me, MS-CHAP works in the server. Put that entry at the TOP of the users file, and it should work. Odds are you put it in the middle of the users file, and there's an earlier entry which means that the cobb entry is never used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and users file
Alan DeKok already hit it head on, I had an old version of the radius dictionary hanging around. -v doesn't list the version of the modules or dictionary file unfortunately. Swapped in the new one and it works Ryan On 6/20/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, I'm having the same problem on 1.1.6, but when I try the cobb Cleartext-Password := secret as below, i get this when starting... /etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown attribute Cleartext-password Errors reading /etc/raddb-test/users radiusd.conf[1052]: files: Module instantiation failed. radiusd.conf[1654] Unknown module files. radiusd.conf[1589] Failed to parse authorize section. output of `radiusd -v` please alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frreradius PAP and CHAP
Instead of using radclient/radtest, this program BY FAR is the best way to debug a radius box... http://jradius.org/wiki/index.php/JRadiusSimulator On 6/19/07, hao chen [EMAIL PROTECTED] wrote: Hi,Ivan I want to know how to test CHAP with radclient(I have no NAS). Could you give me a example of the radclient configure file? Thank you. -chenhao 2007/6/20, [EMAIL PROTECTED] [EMAIL PROTECTED]: No, not with radtest. You can use radclient, which has much more ability, but is also more complicated. Use, for instance, XP dialup connection. In connection properties click on Security tab, Advanced radio button and then Settings button. By default all protocols are ticked. Leave only CHAP ticked and exit with OK. Once you are done with testing remember to go back and add protocols back. WARNING: This will work only if the NAS you are connecting through also supports CHAP authentication. If it doesn't, XP client with only CHAP enabled won't be able to connect. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] piše: thanks, Is there a way to test CHAP? could we test that with radtest? 2007/6/19, [EMAIL PROTECTED] [EMAIL PROTECTED]: Have a look at dictionary.freeradius.internal. You will find several xxx-Password attributes where xxx are supported encryption types. To test CHAP you don't need to tell Freeradius anything. Chap module is enabled by default, so it will work if you havent diabled it. What you need to do is to get the client to use CHAP - radius server will follow. Ivan Kalik Kalik Informatika ISP Dana 19/6/2007, lisa laam [EMAIL PROTECTED] pi e: Hi, I configured Freeradius to use PAP method with users file. The password is stored in clear text is stored in clear text in the user file and it works well. Now I want to use other mode of user storing with PAP method. (exemple MD5 with the user file locatedt in /freeradius-1.1.6 /src/tests/digest-auth-MD5) 1- How to tell frreeradius that the user password is stored in clear text, or digest, or MD5 hashed, etc ?? I tried to copy the content of digest-auth-MD5 in the users file and I got this errror : Errors reading /opt/freeradius/etc/raddb/users radiusd.conf[1067]: files: Module instantiation failed. radiusd.conf [1852] Unknown module files. radiusd.conf[1788] Failed to parse authorize section. I want to test also CHAP method, how to tell radius to use this method in stead of PAP? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with Multiple AD/LDAP
Hello,
I'm working on a new config to allow multiple AD servers to be hit, and am
running into a problem. Just a quick background, I have one server that has
multiple root level OU's with users under it. It may not be the recommended
design, but for our needs it is suitable. I've set up freeradius with three
unique ldap entries, all connecting to the same AD server but under
different OU's.
Anyway, in users.conf I've got this:
DEFAULT Ldap-Group == WIFIUSER
Filter-ID = WIFIUSER,
Fall-Through=1
radiusd.conf
authorize {
...
LDAP1
LDAP2
LDAP3
}
which will return group=WIFIUSER in the accept-accept if the user is in the
WIFIUSER AD group. The problem is it only works if the user exists in the
last LDAP entry that is listed. it will still return an accept-accept, but
no group, if they aren't in the last OU. (In the example above, a user in
the LDAP1 OU would not get the WIFUSER group accept-accept, even though they
are in it. Moving LDAP1 to the bottom would make it work.
Any suggestions?
Ryan Kramer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with Multiple AD/LDAP
it works! Just a quick followup for anyone else that might run into it...
You need to define the DEFAULT users.conf entry differently as it can apply
to different servers individually.
DEFAULT LDAP1-Ldap-Group == WIFIUSER
Filter-ID = WIFIUSER,
Fall-Through=0
DEFAULT LDAP2-Ldap-Group == WIFIUSER
Filter-ID = WIFIUSER,
Fall-Through=0
DEFAULT LDAP3-Ldap-Group == WIFIUSER
Filter-ID = WIFIUSER,
Fall-Through=0
works perfectly...
Ryan Kramer
On 6/11/07, Ryan Kramer [EMAIL PROTECTED] wrote:
Hello,
I'm working on a new config to allow multiple AD servers to be hit, and am
running into a problem. Just a quick background, I have one server that has
multiple root level OU's with users under it. It may not be the recommended
design, but for our needs it is suitable. I've set up freeradius with three
unique ldap entries, all connecting to the same AD server but under
different OU's.
Anyway, in users.conf I've got this:
DEFAULT Ldap-Group == WIFIUSER
Filter-ID = WIFIUSER,
Fall-Through=1
radiusd.conf
authorize {
...
LDAP1
LDAP2
LDAP3
}
which will return group=WIFIUSER in the accept-accept if the user is in
the WIFIUSER AD group. The problem is it only works if the user exists in
the last LDAP entry that is listed. it will still return an accept-accept,
but no group, if they aren't in the last OU. (In the example above, a user
in the LDAP1 OU would not get the WIFUSER group accept-accept, even though
they are in it. Moving LDAP1 to the bottom would make it work.
Any suggestions?
Ryan Kramer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
Were you ever able to solve the issue of multipe OU's? I have about 100
OU's that have users under them, running without a specified OU doesn't
work, and obviously once I drop into an OU it hits the users that live
there, and no others.
Ryan
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
OK tried with 1.1.4 and yerp works great.
radiusd -X output: http://pastebin.ca/464153
radiusd.conf: http://pastebin.ca/464156
I also realised a mistake I have been making, see I want to search the
whole active directory, hence I kept setting my basedn without an ou.
After seeing your excellent example and auth'ing had failed I stuck in
an OU and tried a user from the OU and worked fine.
So my questions is this, to auth people from multiple OU's do I create
a new ldap module for each OU or is their a simpler way.
Thanks Very much for your help Phil, its been a very productive
weekend thanks to the info you provided.
My challenge for monday will be setting up the cisco and wireless clients
now :)
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
radiusd.conf: http://pastebin.ca/464133
radius -X ouput: http://pastebin.ca/464138
Tried with 1.1.6 and fails with this error:
rlm_ldap: reading ldap-radius mappings from file
/etc/raddb/ldap.attrmap
rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed
rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap
failed
radiusd.conf[540]: ldap: Module instantiation failed.
radiusd.conf[586] Unknown module ldap.
radiusd.conf[586] Failed to parse ldap entry.
-
/etc/raddb/ldap.attrmap does exist as provided by the rpm.
[EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap
-rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap
I assume the permissions are correct, as it was installed by rpm. Im
building the 1.1.4 rpm now, will report back once done.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Thanks for the very detailed instructions.
I will attempt this shortly (bought rad ad servers home for weekend
study).
Quite possible the biggest learning curve for me is the ldap fields
but I am finally starting to get familar with them.
Cheers again, will post back once Ive run the radtest.
On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote:
I haven't been following your (quite extensive) queries, so
apologies if
I've missed something fundamental.
I honestly don't know why this is proving so difficult. I've just
tested
this against our own 2k3 AD service, and although I'm pretty
familiar
with FR it took under 5 minutes. Try following the instructions
below.
These were tested with FreeRadius 1.1.4
1. First, create or locate an existing account which FreeRadius can
bind
and do it's searches as. Record the following variables:
SEARCHDN=the DN of the account
SEARCHPW=the password
BASEDN=the DN below which all your accounts live in AD
ADHOST=hostname of the AD controller you'll search against
For example, these might be:
SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com
SEARCHPW=blahblah
BASEDN=OU=My Site,DC=mysite,DC=com
2. Next, take the default radiusd.conf
3. Find the start of the modules section:
modules {
...
Delete this line and all the following lines
4. Insert the following config:
modules {
ldap {
server = $ADHOST
identity = $SEARCHDN
password = $SEARCHPW
basedn = $BASEDN
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0644
}
}
instantiate {
}
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
}
accounting {
detail
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
5. Start the server with -X
6. Run radtest to send a checking PAP request
It should work.
The above config is the ABSOLUTE BARE MINIMUM server config which
will
check PAP requests ONLY against an AD LDAP server. I do NOT
recommend
you go into service with this config. Try to look at it, understand
how
it's doing what it's doing, *then* start again with the default
FreeRadius config and make the absolute minimum changes to get back
to
that point.
-
List
Re: Freeradius and MS ActiveDirectory
It is already built into FreeRadius in a number of ways... either NTLM or Ldap to AD. Ryan Kramer\ On 5/24/07, Ouahiba MACHANI [EMAIL PROTECTED] wrote: Hi, Is there any plug-in for Freeradius, that allow to interface with an Active Directory and authenticate users?? if not, is it possible to developpe such a plug-in ? and what are the requiremenet? could this plug-in be a PAM module ? thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
You can take care of #1 by still doing LDAP to AD for the groups, but using
ntlm for the password authentication. This seems counterproductive, unless
you are using a backside encryption where you need to do it that way, which
is what I ended up having to do.
On 4/30/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Thanks for the Tip ryan but I have been down that road and 2 reasons
stopped me:
1 - no way of retrieving ldap groups
2 - Been requested not to have samba on the machine.
ntlm_auth was very straight forward for me because it supports all the
encryption methods.
On 5/1/07, Ryan Kramer [EMAIL PROTECTED] wrote:
depending on the wifi auth method, you may want to also investigate a
NTLM_AUTH method instead of straight ldap. This requires the freeradius
machine to be a member of the domain, but once you do that it works
great.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
OK tried with 1.1.4 and yerp works great.
radiusd -X output: http://pastebin.ca/464153
radiusd.conf: http://pastebin.ca/464156
I also realised a mistake I have been making, see I want to search the
whole active directory, hence I kept setting my basedn without an ou.
After seeing your excellent example and auth'ing had failed I stuck in
an OU and tried a user from the OU and worked fine.
So my questions is this, to auth people from multiple OU's do I create
a new ldap module for each OU or is their a simpler way.
Thanks Very much for your help Phil, its been a very productive
weekend thanks to the info you provided.
My challenge for monday will be setting up the cisco and wireless
clients
now :)
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
radiusd.conf: http://pastebin.ca/464133
radius -X ouput: http://pastebin.ca/464138
Tried with 1.1.6 and fails with this error:
rlm_ldap: reading ldap-radius mappings from file
/etc/raddb/ldap.attrmap
rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed
rlm_ldap: Reading dictionary mappings from file
/etc/raddb/ldap.attrmap
failed
radiusd.conf[540]: ldap: Module instantiation failed.
radiusd.conf[586] Unknown module ldap.
radiusd.conf[586] Failed to parse ldap entry.
-
/etc/raddb/ldap.attrmap does exist as provided by the rpm.
[EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap
-rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap
I assume the permissions are correct, as it was installed by rpm. Im
building the 1.1.4 rpm now, will report back once done.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Thanks for the very detailed instructions.
I will attempt this shortly (bought rad ad servers home for
weekend
study).
Quite possible the biggest learning curve for me is the ldap
fields
but I am finally starting to get familar with them.
Cheers again, will post back once Ive run the radtest.
On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote:
I haven't been following your (quite extensive) queries, so
apologies if
I've missed something fundamental.
I honestly don't know why this is proving so difficult. I've
just
tested
this against our own 2k3 AD service, and although I'm pretty
familiar
with FR it took under 5 minutes. Try following the instructions
below.
These were tested with FreeRadius 1.1.4
1. First, create or locate an existing account which FreeRadius
can
bind
and do it's searches as. Record the following variables:
SEARCHDN=the DN of the account
SEARCHPW=the password
BASEDN=the DN below which all your accounts live in AD
ADHOST=hostname of the AD controller you'll search against
For example, these might be:
SEARCHDN=CN=freeradius,OU=Users,OU=My
Site,DC=mysite,DC=com
SEARCHPW=blahblah
BASEDN=OU=My Site,DC=mysite,DC=com
2. Next, take the default radiusd.conf
3. Find the start of the modules section:
modules {
...
Delete this line and all the following lines
4. Insert the following config:
modules {
ldap {
server = $ADHOST
identity = $SEARCHDN
password = $SEARCHPW
basedn = $BASEDN
filter =
(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
detail {
detailfile =
${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0644
Re: Freeradius Auth via LDAP against Active Directory Server 2003
depending on the wifi auth method, you may want to also investigate a
NTLM_AUTH method instead of straight ldap. This requires the freeradius
machine to be a member of the domain, but once you do that it works great.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
OK tried with 1.1.4 and yerp works great.
radiusd -X output: http://pastebin.ca/464153
radiusd.conf: http://pastebin.ca/464156
I also realised a mistake I have been making, see I want to search the
whole active directory, hence I kept setting my basedn without an ou.
After seeing your excellent example and auth'ing had failed I stuck in
an OU and tried a user from the OU and worked fine.
So my questions is this, to auth people from multiple OU's do I create
a new ldap module for each OU or is their a simpler way.
Thanks Very much for your help Phil, its been a very productive
weekend thanks to the info you provided.
My challenge for monday will be setting up the cisco and wireless clients
now :)
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
radiusd.conf: http://pastebin.ca/464133
radius -X ouput: http://pastebin.ca/464138
Tried with 1.1.6 and fails with this error:
rlm_ldap: reading ldap-radius mappings from file
/etc/raddb/ldap.attrmap
rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed
rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap
failed
radiusd.conf[540]: ldap: Module instantiation failed.
radiusd.conf[586] Unknown module ldap.
radiusd.conf[586] Failed to parse ldap entry.
-
/etc/raddb/ldap.attrmap does exist as provided by the rpm.
[EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap
-rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap
I assume the permissions are correct, as it was installed by rpm. Im
building the 1.1.4 rpm now, will report back once done.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Thanks for the very detailed instructions.
I will attempt this shortly (bought rad ad servers home for weekend
study).
Quite possible the biggest learning curve for me is the ldap fields
but I am finally starting to get familar with them.
Cheers again, will post back once Ive run the radtest.
On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote:
I haven't been following your (quite extensive) queries, so
apologies if
I've missed something fundamental.
I honestly don't know why this is proving so difficult. I've just
tested
this against our own 2k3 AD service, and although I'm pretty
familiar
with FR it took under 5 minutes. Try following the instructions
below.
These were tested with FreeRadius 1.1.4
1. First, create or locate an existing account which FreeRadius can
bind
and do it's searches as. Record the following variables:
SEARCHDN=the DN of the account
SEARCHPW=the password
BASEDN=the DN below which all your accounts live in AD
ADHOST=hostname of the AD controller you'll search against
For example, these might be:
SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com
SEARCHPW=blahblah
BASEDN=OU=My Site,DC=mysite,DC=com
2. Next, take the default radiusd.conf
3. Find the start of the modules section:
modules {
...
Delete this line and all the following lines
4. Insert the following config:
modules {
ldap {
server = $ADHOST
identity = $SEARCHDN
password = $SEARCHPW
basedn = $BASEDN
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0644
}
}
instantiate {
}
authorize {
preprocess
ldap
}
authenticate {
Auth-Type LDAP {
ldap
}
}
preacct {
preprocess
}
accounting {
detail
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
5. Start the server with -X
6. Run radtest to send a checking PAP request
It should work.
The above config is the ABSOLUTE BARE MINIMUM server config which
will
check PAP requests ONLY against an AD LDAP server. I do NOT
recommend
you go into service with this config. Try to look at it, understand
how
it's doing what it's doing, *then* start again with the default
FreeRadius config and make the absolute minimum changes to get back
to
that point.
-
List info/subscribe/unsubscribe? See
LDAP changes between 1.01 and 1.1.5
I've recently moved to 1.1.5, and went from a system that worked perfectly with MS LDAP to one that will no longer find the user groups, using the identical config. Anyone have any ideas? The obvious one is that 1.1.5throws in all kinds of escape characters, but i'm assuming that is output only. Ryan Kramer 1.0.1 output rlm_ldap: performing search in ou=DIVISION,dc=state,dc=company, with filter ((cn=DIVISION-WIFI)(|((objectClass=group)(member=CN=Kramer\\, Ryan M.,OU=USERS,OU=DIVISION,DC=state,DC=company))((objectClass=GroupOfUniqueNames)(uniquemember=CN=Kramer\\, Ryan M.,OU=USERS,OU=DIVISION,DC=state,DC=company rlm_ldap::ldap_groupcmp: User found in group DIVISION-WIFI 1.1.5 output rlm_ldap: performing search in ou=DIVISION,dc=state,dc=company, with filter ((cn=DIVISION-WIFI)(|((objectClass=group)(member=CN\3dKramer\5c\5c\2c Ryan M.\2cOU\3dUSERS\2cOU\3dDIVISION\2cDC\3dstate\2cDC\3dcompany))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dKramer\5c\5c\2c Ryan M.\2cOU\3dUSERS\2cOU\3dDIVISION\2cDC\3dstate\2cDC\3dcompany rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: Group DIVISION-WIFI not found or user is not a member. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
No. It's part of the LDAP query. In order to avoid external users logging in with names that are valid LDAP queries, the untrusted user input is escaped before it is passed to the LDAP module. Apparently something in the ldap_escape_func is broken when talking to Microsoft AD. I replaced the code of that function with the much more lenient code of the 1.0.1 ldap_escape_func, and it works great with MS LDAP now! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
On 4/12/07, Alan DeKok [EMAIL PROTECTED] wrote: Ryan Kramer wrote: Apparently something in the ldap_escape_func is broken when talking to Microsoft AD. The code does not distinguish between Microsoft AD and other LDAP servers. Correct, it is very simple code and doesn't care. My guess is that it is Microsoft AD not acting like any other reasonable AD on the planet i suspect. I'll post my exact queries tomorrow, but as I mentioned, the only change was to revert that section of code back to the 1.0.1 version, recompile, and it works great. I hacked away at the configs for about 3 hours without any success using pretty much every trick I could think of to get it working. I SUSPECT something might not be escaped in a manner the MS AD server likes, or maybe just the fact it has any escape sequences built in at all is what is causing it to toss it. Hopefully tomorrow I'll be able to get some logs from our server admins to see exactly what the queries they receive look like. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius, 802.1x with peap, auth via LDAP
1) Microsoft LDAP isn't like normal ldap, you don't get access to the password. To have freeradius touch the password at any point, it needs to be on the domain and do a ntlm_auth instead of ldap. On 4/4/07, wenny wang [EMAIL PROTECTED] wrote: Hi, I need help/advise with te following scenario: 1. I have a freeradius server, this server is not part of Active Directory Domain, server is able to perform ldapsearch for user account. 2. the workstation is a windows 2000 pc, need to be authenticated thru Cisco catalyst switch to the freeradius server with user's LAN username and password transparently (peap) my question is: what is the requirement for radius server, does the server needs to be part of the Active Directory Domain?, can you direct me to a how to link?, I have made several configurations but none were successful, please help, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Packet Simulator
jradius is about the best i've found. On 4/2/07, khursheed Ahmed [EMAIL PROTECTED] wrote: Hi All I need a RADIUS Packet simulator, which could simulate RADIUS packet for me, If is there any Plz tell me, As I needed it bcz I m developing a Translation Agent which could translate (convert) RADIS packet in to Diameter Packet. Is there any Idea Plz help me Khursheed Ahmed QAU - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x-radius VLAN assignment
Hello! I am working on implementing freeradius with an aruba Wifi controller connected to freeradius, which then talks to AD. (The linux box is on the AD domain) Anyway, we need to pull the vlan identifier through from an AD group, but it appears FreeRadius does not pull that through the request field. Anyone have any thoughts? We know this is possible through the Microsoft radius solution, but are having a tough time of it without using that instead. Thanks! Ryan Kramer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
