Re: HELP: radtest fails local test
Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. Is there any howto that actually covers this properly. On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, Yes. See the users file. It sets authentication to /etc/passwd (or system) if there's no other method set. I only need FR to auth against our w2k3 AD server. Any help is appreciated. For PAP authentication, you have to configure that manually. i.e. tell the server if you receive PAP, run ntlm_auth to authenticate against AD. See the exec module for how to run external programs. It looks like you didn't tell the server to authenticate against AD. Please do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
Jacob Jarick wrote: How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. If you're using PEAP, yes. If you're just using PAP, you need to tell the server what to do. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. So... when I said you need to run ntlm_auth, and you could use the exec module to do that, what conclusion did you reach? Or, you can replace the reference to System in the users file with Kerberos. But be sure you've told FreeRADIUS to use the kerberos module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 OK, some more googling :P and Ive turned up this intresting howto which I will be trialing: http://deployingradius.com/documents/configuration/active_directory.html It covers Configuring FreeRADIUS to use ntlm_auth in a bit more detail than the last one. On 4/13/07, Jacob Jarick [EMAIL PROTECTED] wrote: Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. Is there any howto that actually covers this properly. On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, Yes. See the users file. It sets authentication to /etc/passwd (or system) if there's no other method set. I only need FR to auth against our w2k3 AD server. Any help is appreciated. For PAP authentication, you have to configure that manually. i.e. tell the server if you receive PAP, run ntlm_auth to authenticate against AD. See the exec module for how to run external programs. It looks like you didn't tell the server to authenticate against AD. Please do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
Alan, Thanks so much for your advice mate. I got it going finally ! For people out there looking todo a similar setup here is my short mini howto: 1 Install Kerberos 2 Install OpenSSL 3 Install Samba 4 Follow the FreeRadius Tutorial for AD intergration: http://www.swami.se/swami/space/Categories/EduRoam/Workshop+about+eduroam+implementation/freeRadius_AD_tutorial.pdf 5: Follow this guide, particulary the part about Configuring FreeRADIUS to use ntlm_auth http://deployingradius.com/documents/configuration/active_directory.html On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. If you're using PEAP, yes. If you're just using PAP, you need to tell the server what to do. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. So... when I said you need to run ntlm_auth, and you could use the exec module to do that, what conclusion did you reach? Or, you can replace the reference to System in the users file with Kerberos. But be sure you've told FreeRADIUS to use the kerberos module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
Hi, and Ive turned up this intresting howto which I will be trialing: http://deployingradius.com/documents/configuration/active_directory.html yep -the official FreeRADIUS wiki/book combo from Alan D alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HELP: radtest fails local test
Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, I only need FR to auth against our w2k3 AD server. Any help is appreciated. [EMAIL PROTECTED] ~]# radtest Administrator pass 127.0.0.1:1812 10 testing123 Sending Access-Request of id 166 to 127.0.0.1 port 1812 User-Name = Administrator User-Password = tfxsol NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=166, length=20 radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /dev/urandom tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23
Re: HELP: radtest fails local test
Jacob Jarick wrote: A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, Yes. See the users file. It sets authentication to /etc/passwd (or system) if there's no other method set. I only need FR to auth against our w2k3 AD server. Any help is appreciated. For PAP authentication, you have to configure that manually. i.e. tell the server if you receive PAP, run ntlm_auth to authenticate against AD. See the exec module for how to run external programs. It looks like you didn't tell the server to authenticate against AD. Please do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html