Re: [RE]Freeradius-Users Digest, Vol 18, Issue 98
If it's not a requirement for your system, why don't you apt-get install openssl ?And if you don't plan to use openssl, you could install only libssl0.9.7 and libssl-dev. Both with apt. That is what I do and works! Cheers( espero que te valga ;) )2006/11/15, Ana Gallardo Gómez [EMAIL PROTECTED]: Sorry for my english...I had the same problem with Freeradius-OpenSSL. I´m running a Debian Sarge 3.1. My installation is:/usr/local/openssl -- OpenSSL binaries/usr/local/radius -- Freeradius binaries /usr/local/freeradius-1.1.3 -- Freeradius source/usr/local/openssl-0.9.7k -- OpenSSL sourceTo compile and install OpenSSL:/usr/local/openssl-0.9.7k/.config shared --prefix=/usr/local/openssl /usr/local/openssl-0.9.7k/make/usr/local/openssl-0.9.7k/make installCopy OpenSSL library and include files to /usr/local/lib and /usr/local/include.To compile and install Freeradius:/usr/local/freeradius- 1.1.3/.configure --prefix=/usr/local/radius /usr/local/freeradius-1.1.3/make /usr/local/freeradius-1.1.3/make install :)Consigue el nuevo Windows Live Messenger Pruébalo -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [RE]Freeradius-Users Digest, Vol 18, Issue 98
Uh-Uh Sorry I think I missed part of the thread.2006/11/15, wekz [EMAIL PROTECTED]: If it's not a requirement for your system, why don't you apt-get install openssl ?And if you don't plan to use openssl, you could install only libssl0.9.7 and libssl-dev. Both with apt. That is what I do and works! Cheers( espero que te valga ;) )2006/11/15, Ana Gallardo Gómez [EMAIL PROTECTED]: Sorry for my english...I had the same problem with Freeradius-OpenSSL. I´m running a Debian Sarge 3.1. My installation is:/usr/local/openssl -- OpenSSL binaries/usr/local/radius -- Freeradius binaries /usr/local/freeradius-1.1.3 -- Freeradius source/usr/local/openssl-0.9.7k -- OpenSSL sourceTo compile and install OpenSSL:/usr/local/openssl-0.9.7k/.config shared --prefix=/usr/local/openssl /usr/local/openssl-0.9.7k/make/usr/local/openssl-0.9.7k/make installCopy OpenSSL library and include files to /usr/local/lib and /usr/local/include.To compile and install Freeradius:/usr/local/freeradius- 1.1.3/.configure --prefix=/usr/local/radius /usr/local/freeradius-1.1.3/make /usr/local/freeradius-1.1.3/make install :)Consigue el nuevo Windows Live Messenger Pruébalo -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS + LDAP + PAP with encrypted password
Thanks Alan. I wanted to test your solution before replying. I've been trying it all day but couldn't get it work. Something very strange is happening . I've added, as you suggested, Auth-Type=PAP. I do that with a users-file at the end of authorization module and I set password_header={sha} in my ldaps modules ( I hope I won't be wrong ).
The problem is rlm_pap: Attribute Password is required for authentication. I don't know why the client is not sending the password. I've been watching packets with ethereal and can't see the password although I can see username. I'm using Win XP + Secure W2.
Did it ever happen to you something similar? 2006/8/4, Alan DeKok
[EMAIL PROTECTED]:
wekz [EMAIL PROTECTED] wrote:The user is authorized and the password is got from the
ldap (rlm_ldap: Adding userPassword as User-Password, value
{sha}rur+4yJuecpmc8vxS/8wAyAMNHM= op=21)In 1.1.x, you have to configure the ldap module to know about the{sha} password header.See the ldap section of modules.
And after matching the group Local in my users-file:auth: type Localauth: user supplied User-Password does NOT
match local User-Passwordauth: Failed to validate the user.Unfortunately, this is one of the few cases where you probably haveto set Auth-Type = PAP.Note that this is ONLY a
1.1.x limitation.The CVS head, and therefore 2.0 has that fixed.Alan DeKok.--http://deployingradius.com
- The web site of the book
http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS + LDAP + PAP with encrypted password
Hi all, I've been trying to get over this configuration but without any success. I'm using freeradius-1.1.1.First I had this working with eap-tls and peap for authentication and ldap for authorization, it was working quite well. As I have to integrate this configuration with an ldap that has encrypted passwords I decide to change authtype to pap over eap-ttls after watching Protocol and Password Compatibility in Alan's site.
The authorization part of ldap does the following:A user will be authorized to use remote access if he is in the ldap and depending on the access policy defined if he belongs to a white or blacklist.After being authorized within the authorize section the user find these lines:
users_branch eapuser-branch is the users file I use that has entries by the form (and nothing else ): DEFAULT ldap11-Ldap-Group == Local
Tunnel-Type=VLAN,Tunnel-Medium-Type=6, Tunnel-Private-Group-Id=Local, Fall-Through = NoThis, as I said, was working right.
Now the only things I've added to radiusd.conf ismodules { ( I've commented any other type like chap, mschap, peap, leap... only the onse listed here are set ) ldap-modules-stuff
pap { encryption_scheme = sha1 } eap { default_eap_type = ttls ... gtc {
auth_type = PAP # I've test without configuring gtc too and setting default_eap_type in ttls to md5 and commenting it out } tls {
my old configuration that works} ttls { default_eap_type = gtc copy_request_to_tunnel = yes
use_tunneled_reply = yes } } }authorize { ... ldap stuff
user_branch eap }authenticate { Auth-Type PAP { pap } eap
} Then in the logs I can see that ( I don't put them because they are nearly endless ): The user is authorized and the password is got from the ldap (rlm_ldap: Adding userPassword as User-Password, value {sha}rur+4yJuecpmc8vxS/8wAyAMNHM= op=21)
. rad_check_password: Found Auth-Type EAP auth: type EAP ... The eap-ttls tunnel is ok
.. And after matching the group Local in my users-file: auth: type Local auth: user supplied User-Password does NOT match local User-Password
auth: Failed to validate the user. Access-rejectWhen I try this with clear-text passwords it works quite well but I don't know if it is working the way I want or not (with pap), because neither with encrypted nor with clear-text I can't see in the logs a reference to rlm_pap or gtc...
I imagine I'm doing something wrong but can't figure out what it is.I've googled on the internet and in the mailing list but I don't make any progress with what I've found. So any comments are welcome
Thanks
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius-1.1.1 + mschap + ldap with encrypted password
Hi all, I've configured freeradius-1.1.1 to do eap-tls and peap to authenticate windows wireless users against an ldap.The problem now is that I have to authenticate doing peap against an ldap which has userpassword encrypted ( and is a point that I can't change unless it is impossible to do ). I know that when I'm using peap what I finally use is mschapv2 and that this protocol makes a challenge ( with username, password and somestuff ) that the user must response. As my ldap-user-passwords are encrypted and microsoft clients make the response with a clear-test password, it couldn't work. At least that's what I've understood ( and my knowledge about this is very limited, so correct me if I'm wrong ). My question is if there is anyway to make it work configuring ntlm_auth ? Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-1.1.1 + mschap + ldap with encrypted password
Ok that's what I imagined. There's no domain controller involved and no AD so I can't use peap. Maybe pap.Thanks Phil.2006/8/2, Phil Mayers [EMAIL PROTECTED] :wekz wrote: The problem now is that I have to authenticate doing peap against an ldap which has userpassword encrypted ( and is a point that I can't change unless it is impossible to do ).Unless your password is encrypted as an NT or LM hash, it's impossible.If your LDAP server is an AD server, it's impossible. correct me if I'm wrong ).My question is if there is anyway to make it work configuring ntlm_auth ?If you have a domain controller, you can indeed use ntlm_auth - merelyinstall samba, configure it, join the domain and uncomment the ntlm_auth line in the mschap module, modifying the configuration (CAREFULLY!) ifneed be.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP short question
Thanks Stefan I thought it was like you said but wasn't sure. Now I'll try to find which part of the code do it 2006/7/21, Stefan Winter [EMAIL PROTECTED]:Hi, I've been watching the logs and my question is why localhost takes part in the process.Inner workings of FreeRADIUS. The inner authentication (within the EAP TLStunnel) counts as a new request, coming from localhost.Stefan Winter--Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et dela Recherche - Ingénieur de recherche6, rue Richard Coudenhove-KalergiL-1359 Luxembourg-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP short question
Hi all, I've been watching the logs and my question is why localhost takes part in the process. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Are possible multiple ntdomain realms??????
Thank you Phil. I didn't have time to test it yet. I had to install a previous release so I modified the cb.c function. I know what I've done is awful but it was a extreme solution. I'll test yours next week and reinstall the server as soon as posible.
Thanks again2006/6/7, Phil Mayers [EMAIL PROTECTED]:
wekz wrote: And if they are, what efect has with_ntdomain_hack=yes. Does it affect to all?? Well, Hi you all I hope haven't been too direct ;) I'll getting more troubles as I do more complex configurations.
I ask this because first I had to authenticate users by machine authentication. The users in this case sends User-Name like host/username and the only way I found for working this out was to use
ntdomain realm with / as the delimiter and enable with_ntdomain_hack. The other options stripes the User-Name but then packets doesn't match EAP-Identity ( at least one of them ), that is why I used ntdomain, for
Yes, this is a pain. The correct thing to do is below being able to use with_ntdomain_hack.FreeRadius 1.1.0 has code to do this for you - it will take names of theform host/blah and turn them into blah$ *IF* you are using the
%{mschap:User-Name} expansion. The %{User-Name} is left alone,meaning EAP carries on working. Now I've got pda-users that sends domain\username and if I don't use ntdomain with_ntdomain_hack it fails. So, that's why I ask if multiple
ntdomains are allowed and how.Again, this is annoying.The best way I've found is to have this:proxy.conf (contains only real domains)realm THEDOMAINNAME { type = radius
authhost = LOCAL accthost = LOCAL # see [1] for strip strip}realm DEFAULT { type = radius authhost = LOCAL accthost = LOCAL # see [1] for strip strip}
realm NULL { type = radius authhost = LOCAL accthost = LOCAL # see [1] for strip strip}radiusd.conf (portions omitted):modules { mschap { authtype = MS-CHAP
with_ntdomain_hack = yes # this all goes on one line # see [2] for mschap:User-Name ntlm_auth = /path/ntlm_auth --request-nt-key \ --username=%{mschap:User-Name} \ --challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00} } realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no }}
authorize { preprocess ntdomain eap mschap}The various bits ensure:1. strip in the realms means there is always a realm-free%{Stripped-User-Name} variable, useful for
e.g. LDAP/file/SQL searches.2. The with_ntdomain_hack create an mschap:User-Name variable whichwill always have the domain stripped correctly - dom\user goes touser, and host/machine goes to machine$
Any method or idea will be welcome. Thanks - List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple Autz-Type
Thanks very much Phil. That works, I think it doesn't work in the hints file for the reasons you told me.Now I've got a new problem. I use the radiusGroupName for making the users belong to VLAN1, VLAN2 or VLAN3. So I enable
groupmembership_attribute = radiusGroupNamebut I left groupname_attribute and groupmembership_filter commented ( in each ldap module ).In other file called users-vlan I defined this:
DEFAULT Ldap-Group == Local stuff for assigning VLAN1 .The file that determine the users procedence is users-procedence: DEFAULT NAS-IP-Address == 192.168.51.yy, Autz-Type=customer1
.The file that proxies ( users-proxy ): DEFAULT proxy-to-realm:=CENTRALThe authorization section:users-procedenceautztype customer1{ redundant { group {
ldap1 {
notfound = return fail = return } users-vlan
mschap
eap notfound = 1 fail = 1 } users-proxy }
}
.The situation is: a user that must be authorized against ldap2 make a match in the users-procedence file and get customer2 autztype. So the user is looked for in ldap2. 1.- If it fails in the logs I could see radius looking for ldap_groupcmp() in ldap3 when all I think it must do is proxy.
2.- In case the user is found it make a search too for ldap group in ldap3.I think in the first case there are two problems: it searches when it doesn't have to ( unnecessary search ), and it searches bad because it does in the last ldap instantiated ( that is ldap3 )
In the second case the problem is that it searches in the last ldap instantiated.(( This configuration works fine when all you have is one ldap ))Is that a bug ?? I found a similar bug in bug-list but it belongs to version
1.0.1 ( bug #163, about unnecessary searches ) and I think a read a bug about searching in the last ldap instantiated ( but I think this has to be with older versions and I can't find it )
I solved this problem yesterday but I don't know how to say... I solved it in a dirty-way ( I hope you understand ). So if you or anyone have an idea ...2006/6/5, Phil Mayers
[EMAIL PROTECTED]:wekz wrote: I don't know if I have explain it correctly, if I haven't just tell me (
I'm not an english speaker )Your english is great. My hints file:Nearly there. Try:DEFAULT NAS-IP-Address == 192.168.xx.yy, Autz-Type := LDAPxI'm not sure that'll work in a hints file - so you may need to use a
users file - hints puts items into the request pairs, Autz-Type needsto go into the configure pairs.Try this:modules { # other stuff files filesFirst { usersfile = ${confdir}/usersFirst
}}authorize { preprocess filesFirst Autz-Type LDAP1 { # stuff here ldap1 } # other LDAP modules}And in ${confdir}/usersFirst:DEFAULT NAS-IP-Address ==
192.168.51.xx, Autz-Type := LDAP1DEFAULT NAS-IP-Address == 192.168.51.yy, Autz-Type := LDAP2...and so on.The other slightly simpler way might be to use a passwd (badly named)module,
e.g.:modules { passwd nas2autz { filename = ${confdir}/nas2autz format = *NAS-IP-Address:Autz-Type # set to 0 to read file on every request - slow # but instant-updates
hashsize = 100 }}authorize { preprocess nas2autz Autz-Type LDAP1 { ldap1 } # other Autz}...and in ${confdir}/nas2autz192.168.51.xx:LDAP1
192.168.51.yy:LDAP2Hope that helpsPhil-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple Autz-Type
OooI think I found the solution: in users-vlan i changed the lines for this DEFAULT ldap1-Ldap-Group==Local Tunnel-Type=VLAN, Tunnel-Medium-Type=6, Tunnel-Private-Group-Id=Local,
Fall-Through = No DEFAULT ldap1-Ldap-Group==Invitados Tunnel-Type=VLAN, Tunnel-Medium-Type=6, Tunnel-Private-Group-Id=Invitado, Fall-Through = No DEFAULT ldap2-Ldap-Group==Local
Tunnel-Type=VLAN, Tunnel-Medium-Type=6, Tunnel-Private-Group-Id=Local, Fall-Through = No DEFAULT ldap2-Ldap-Group==Invitados Tunnel-Type=VLAN, Tunnel-Medium-Type=6,
Tunnel-Private-Group-Id=Invitado, Fall-Through = No DEFAULT ldap3-Ldap-Group==Local Tunnel-Type=VLAN, Tunnel-Medium-Type=6, Tunnel-Private-Group-Id=Local,
Fall-Through = No DEFAULT ldap3-Ldap-Group==Invitados Tunnel-Type=VLAN, Tunnel-Medium-Type=6, Tunnel-Private-Group-Id=Invitado, Fall-Through = NoAnd it doesn't do unnecessary searches and when it has to, it searches correctly.
This works but, is it the better way to do it?2006/6/7, wekz [EMAIL PROTECTED]:
Thanks very much Phil. That works, I think it doesn't work in the hints file for the reasons you told me.Now I've got a new problem. I use the radiusGroupName for making the users belong to VLAN1, VLAN2 or VLAN3. So I enable
groupmembership_attribute = radiusGroupNamebut I left groupname_attribute and groupmembership_filter commented ( in each ldap module ).In other file called users-vlan I defined this:
DEFAULT Ldap-Group == Local stuff for assigning VLAN1 .The file that determine the users procedence is users-procedence: DEFAULT NAS-IP-Address == 192.168.51.yy, Autz-Type=customer1
.The file that proxies ( users-proxy ): DEFAULT proxy-to-realm:=CENTRALThe authorization section:users-procedenceautztype customer1{ redundant {
group {
ldap1 {
notfound = return fail = return } users-vlan
mschap
eap notfound = 1 fail = 1 } users-proxy
}
}
.The situation is: a user that must be authorized against ldap2 make a match in the users-procedence file and get customer2 autztype. So the user is looked for in ldap2. 1.- If it fails in the logs I could see radius looking for ldap_groupcmp() in ldap3 when all I think it must do is proxy.
2.- In case the user is found it make a search too for ldap group in ldap3.I think in the first case there are two problems: it searches when it doesn't have to ( unnecessary search ), and it searches bad because it does in the last ldap instantiated ( that is ldap3 )
In the second case the problem is that it searches in the last ldap instantiated.(( This configuration works fine when all you have is one ldap ))Is that a bug ?? I found a similar bug in bug-list but it belongs to version
1.0.1 ( bug #163, about unnecessary searches ) and I think a read a bug about searching in the last ldap instantiated ( but I think this has to be with older versions and I can't find it )
I solved this problem yesterday but I don't know how to say... I solved it in a dirty-way ( I hope you understand ). So if you or anyone have an idea ...2006/6/5, Phil Mayers
[EMAIL PROTECTED]:
wekz wrote: I don't know if I have explain it correctly, if I haven't just tell me (
I'm not an english speaker )Your english is great. My hints file:Nearly there. Try:DEFAULT NAS-IP-Address == 192.168.xx.yy, Autz-Type := LDAPxI'm not sure that'll work in a hints file - so you may need to use a
users file - hints puts items into the request pairs, Autz-Type needsto go into the configure pairs.Try this:modules { # other stuff files filesFirst { usersfile = ${confdir}/usersFirst
}}authorize { preprocess filesFirst Autz-Type LDAP1 { # stuff here ldap1 } # other LDAP modules}And in ${confdir}/usersFirst:DEFAULT NAS-IP-Address ==
192.168.51.xx, Autz-Type := LDAP1DEFAULT NAS-IP-Address == 192.168.51.yy, Autz-Type := LDAP2...and so on.The other slightly simpler way might be to use a passwd (badly named)module,
e.g.:modules { passwd nas2autz { filename = ${confdir}/nas2autz format = *NAS-IP-Address:Autz-Type # set to 0 to read file on every request - slow # but instant-updates
hashsize = 100 }}authorize { preprocess nas2autz Autz-Type LDAP1 { ldap1 } # other Autz}...and in ${confdir}/nas2autz192.168.51.xx:LDAP1
192.168.51.yy:LDAP2Hope that helpsPhil-List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Are possible multiple ntdomain realms??????
And if they are, what efect has with_ntdomain_hack=yes. Does it affect to all??Well, Hi you all I hope haven't been too direct ;)I'll getting more troubles as I do more complex configurations. I ask this because first I had to authenticate users by machine authentication. The users in this case sends User-Name like host/username and the only way I found for working this out was to use ntdomain realm with / as the delimiter and enable with_ntdomain_hack. The other options stripes the User-Name but then packets doesn't match EAP-Identity ( at least one of them ), that is why I used ntdomain, for being able to use with_ntdomain_hack. Now I've got pda-users that sends domain\username and if I don't use ntdomain with_ntdomain_hack it fails. So, that's why I ask if multiple ntdomains are allowed and how.Any method or idea will be welcome. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple Autz-Type
Hello everybody. I'll tell you what i wanna do and the problem i get so you could either fix my configuration or give me some new ideas. First, I´m using freeradius 1.1.1 + ldap. What I have is this: I have three radius working in different placement of one organization, these radius authorize against three subtrees of the ldap. When a user is not found they do proxy to another radius. This work quite well.
What I want: I want to have another radius ( only one ) to acct as a backup of these servers ( for configuring my ciscos with two servers ). This radius has the complete tree but it must look in each subtree depending on the NAS-IP, not in the whole ldap. If the user is not found in the corresponding subtree it must do proxy to the central radius.
I don't know if I have explain it correctly, if I haven't just tell me ( I'm not an english speaker )For this configuration I've defined three ldaps in radiusd.conf:module{ ldap ldap1{ }
ldap ldap2{ } ldap ldap3{ }}...authorize{... autztype customer1{ redundant { group { ldap1 {
notfound = return fail = return } files mschap
eap notfound = 1 fail = 1 } files } }
Autz-Type customer2{ [ similar configuration as above ] } Autz-Type customer3{ [ similar configuration as above ] }}My hints file:
DEFAULT NAS-IP-Address == 192.168.51.220 Autz-Type := customer1DEFAULT NAS-IP-Address == 192.168.51.221 Autz-Type := customer2
DEFAULT NAS-IP-Address == 192.168.51.222 Autz-Type := customer3Users:DEFAULT Proxy-to-realm := wickwar_centralThe problem is that it doesn't execute any of Autz-Type sections.
The logs:rad_recv: Access-Request packet from host 192.168.51.221:1645, id=200, length=160 User-Name = cadiz Framed-MTU = 1400 Called-Station-Id =
0011.9215.c490 Calling-Station-Id = 0004.238d.4b0e Cisco-AVPair = ssid=perfil_tipo_a Service-Type = Login-User Message-Authenticator = 0x27c966f01f1de90c836066e2a019c553
EAP-Message = 0x0202000a01636164697a NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = 395 NAS-Port = 395 NAS-IP-Address =
192.168.51.221 NAS-Identifier = ap Processing the authorize section of radiusd.confmodcall: entering group authorize for request 1 hints: Matched DEFAULT at 59 modcall[authorize]: module preprocess returns ok for request 1
rlm_realm: No '/' in User-Name = cadiz, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module ntdomain returns noop for request 1radius_xlat: '/opt/radius_LOCAL/var/log/radius/radacct/192.168.51.221/auth-detail-20060605'
rlm_detail: /opt/radius_LOCAL/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /opt/radius_LOCAL/var/log/radius/radacct/192.168.51.221/auth-detail-20060605 modcall[authorize]: module auth_log returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the userauth: Failed to validate the user.Login incorrect: [cadiz/no User-Password attribute] (from client ap port 395 cli
0004.238d.4b0e)Delaying request 1 for 1 secondsFinished request 1Going to the next request--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---
Waking up in 1 seconds...--- Walking the entire request list ---Sending Access-Reject of id 200 to 192.168.51.221 port 1645Waking up in 4 seconds...--- Walking the entire request list ---
Cleaning up request 1 ID 200 with timestamp 44840b82Nothing to do. Sleeping until we see a request.If anyone could give my a hand. I would be grateful. Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntdomain_hack
Well I have found the answer. In the proxy realm I've put nostrip and it is working now.2006/5/18, wekz [EMAIL PROTECTED]:
Hello everyone,I've configured a freeradius 1.1.1 + LDAP for eap-tls authentication with domains.
authorize { preprocess ntdomain ...}realm host { type = radius authhost = LOCAL
accthost = LOCAL strip}This configuration gives an error: rlm_eap: Identity does not match User-Name, setting from EAP Identity.When I enable with_ntdomain_hack in eap.conf
it works quite well. Could anyone tell me why it's neccesary?
The problem is that this secondary_radius do proxy when it doesn't find the user in its LDAP and the master_radius gives this error: rlm_eap: Identity does not match User-Name, setting from EAP Identity.
I've tried in master_radius the same configuration with and without ntdomain_hack and it fails.I've been thinking of adding the realm before the secondary do proxy,
so the master could treat the request as it's been local. But I don't
like this too much.
Does anyone have a better idea of what to do?Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with hints file
Ok Phil. That works fine, thanks.
I had to enable with_ntdomain_hack too.
2006/5/5, Phil Mayers [EMAIL PROTECTED]:
wekz wrote:
Hi all,
I use freeradius1.1.1 + ldap. And peap or eap-tls for authorization.
I've been trying to use hints.file for changing the User-Name. When a
laptop user which is in a domain tries to do a peap authentication,
windows sends a User-Name that follows this pattern (at least the ones
I've seen):
DOMAIN\5c\5cLOGIN
I'm trying to catch up the LOGIN name so the radius can perform a search
in ldap.
I've modify hints.file including this line:
DEFAULT User-Name =~ ^([^\\]+)\\5c\\5c([^\\]+)
User-Name := %{2}
I assume you didn't mean 5c but the body of your mail appears to have
been corrupted along the way.
The problem is that this rule matches but it changes the User-Name for
an empty string.
I believe that should be:
DEFAULT User-Name =~ ^([^\\]+)([^\\]+)
User-Name = `%{2}`
HOWEVER - you should almost certainly be using the realm module to do
this. The default config has realm ntdomain { ...config lines defined.
If you put this in authorize like so:
authorize {
preprocess
ntdomain
# other modules
}
...then add this in proxy.conf:
realm MYDOMAIN {
type = radius
authhost = LOCAL
accthost = LOCAL
strip
}
...you can then use the following in e.g. the ldap config:
ldap {
# other config
# NOTE: the expansion means Stripped-User-Name OR User-Name
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
# other config
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problems with hints file
Hi all, I use freeradius1.1.1 + ldap. And peap or eap-tls for authorization.I've been trying to use hints.file for changing the User-Name. When a laptop user which is in a domain tries to do a peap authentication, windows sends a User-Name that follows this pattern (at least the ones I've seen):
DOMAIN\5c\5cLOGINI'm trying to catch up the LOGIN name so the radius can perform a search in ldap.I've modify hints.file including this line:
DEFAULT User-Name =~ ^([^\\]+)\\5c\\5c([^\\]+) User-Name := %{2}The problem is that this rule matches but it changes the User-Name for an empty string.
If I put a string instead of %{2} it does change it right. DEFAULT User-Name =~ ^([^\\]+)\\5c\\5c([^\\]+) User-Name := JOHNDOE
I don't know if that is a bug or if there's something I'm doing wrong and didn't realize. ¿?Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
