Re: HELP: radtest fails local test
Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. Is there any howto that actually covers this properly. On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, Yes. See the users file. It sets authentication to /etc/passwd (or system) if there's no other method set. I only need FR to auth against our w2k3 AD server. Any help is appreciated. For PAP authentication, you have to configure that manually. i.e. tell the server if you receive PAP, run ntlm_auth to authenticate against AD. See the exec module for how to run external programs. It looks like you didn't tell the server to authenticate against AD. Please do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
Jacob Jarick wrote: How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. If you're using PEAP, yes. If you're just using PAP, you need to tell the server what to do. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. So... when I said you need to run ntlm_auth, and you could use the exec module to do that, what conclusion did you reach? Or, you can replace the reference to System in the users file with Kerberos. But be sure you've told FreeRADIUS to use the kerberos module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 OK, some more googling :P and Ive turned up this intresting howto which I will be trialing: http://deployingradius.com/documents/configuration/active_directory.html It covers Configuring FreeRADIUS to use ntlm_auth in a bit more detail than the last one. On 4/13/07, Jacob Jarick [EMAIL PROTECTED] wrote: Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. Is there any howto that actually covers this properly. On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, Yes. See the users file. It sets authentication to /etc/passwd (or system) if there's no other method set. I only need FR to auth against our w2k3 AD server. Any help is appreciated. For PAP authentication, you have to configure that manually. i.e. tell the server if you receive PAP, run ntlm_auth to authenticate against AD. See the exec module for how to run external programs. It looks like you didn't tell the server to authenticate against AD. Please do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
Alan, Thanks so much for your advice mate. I got it going finally ! For people out there looking todo a similar setup here is my short mini howto: 1 Install Kerberos 2 Install OpenSSL 3 Install Samba 4 Follow the FreeRadius Tutorial for AD intergration: http://www.swami.se/swami/space/Categories/EduRoam/Workshop+about+eduroam+implementation/freeRadius_AD_tutorial.pdf 5: Follow this guide, particulary the part about Configuring FreeRADIUS to use ntlm_auth http://deployingradius.com/documents/configuration/active_directory.html On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. If you're using PEAP, yes. If you're just using PAP, you need to tell the server what to do. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. So... when I said you need to run ntlm_auth, and you could use the exec module to do that, what conclusion did you reach? Or, you can replace the reference to System in the users file with Kerberos. But be sure you've told FreeRADIUS to use the kerberos module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
Hi, and Ive turned up this intresting howto which I will be trialing: http://deployingradius.com/documents/configuration/active_directory.html yep -the official FreeRADIUS wiki/book combo from Alan D alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HELP: radtest fails local test
Freeradius 1.1.3
smb.conf http://pastebin.ca/437671
radius.conf http://pastebin.ca/437670
clients.conf http://pastebin.ca/437668
eap.conf http://pastebin.ca/437667
krb5.conf http://pastebin.ca/437666
A local test using radtest fails but I am unsure why. It looks like
its trying to authenticate against the unix passwd file, I only need
FR to auth against our w2k3 AD server. Any help is appreciated.
[EMAIL PROTECTED] ~]# radtest Administrator pass 127.0.0.1:1812 10 testing123
Sending Access-Request of id 166 to 127.0.0.1 port 1812
User-Name = Administrator
User-Password = tfxsol
NAS-IP-Address = 255.255.255.255
NAS-Port = 10
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=166, length=20
radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/raddb/certs/cert-srv.pem
tls: certificate_file = /etc/raddb/certs/cert-srv.pem
tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /etc/raddb/certs/dh
tls: random_file = /dev/urandom
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
tls: cipher_list = (null)
tls: check_cert_issuer = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
Re: HELP: radtest fails local test
Jacob Jarick wrote: A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, Yes. See the users file. It sets authentication to /etc/passwd (or system) if there's no other method set. I only need FR to auth against our w2k3 AD server. Any help is appreciated. For PAP authentication, you have to configure that manually. i.e. tell the server if you receive PAP, run ntlm_auth to authenticate against AD. See the exec module for how to run external programs. It looks like you didn't tell the server to authenticate against AD. Please do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
