Re: FreeRadius + AD
Does this help? http://deployingradius.com/documents/configuration/active_directory.html -- Blake Covarrubias On Nov 8, 2012, at 3:09 PM, Maiquel Consalter maiquelconsal...@gmail.com wrote: Hi, Someone can tell me where I can find a step-by-step instructions on freeradius + Active Directory ? Thank´s -- Att, Maiquel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD
On 8 Nov 2012, at 22:09, Maiquel Consalter maiquelconsal...@gmail.com wrote: Hi, Someone can tell me where I can find a step-by-step instructions on freeradius + Active Directory ? http://lmgtfy.com/?q=deploying+freeradius+with+activedirectory -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + WiFi + EAP
Kleber Larroyd wrote: If you can't be bothered to explain *why* you're doing this, and *what* is going wrong, then we can't be bothered to read the reams of data you posted. It also helps to *read* the debug output. Really. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + WiFi + EAP
On 09/13/2010 10:35 AM, Kleber Larroyd wrote: Have any idea ? Where can i find the solution ? When i trying connect (windows vista) freeradius server *with wireless over access point* i get this error: In the future please follow the instructions to send the *complete* output of radiusd -X *only*. Also please read the debug output before asking for help, you answer is in the output. Mon Sep 13 10:34:23 2010 : Info: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. Mon Sep 13 10:34:23 2010 : Debug: rlm_eap_leap: No Cleartext-Password or NT-Password configured for this user No password means you didn't configure authorization in the inner-tunnel. You test only worked because it wasn't doing TLS and hence never entered the inner-tunnel virtual server. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + WiFi + EAP
Hi, peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no personally, I'd advise that you set those to yes rather than no. File /etc/raddb/users DEFAULT Auth-Type = ntlm_auth you dont need to do this. ever. we do PEAP and dont have such a line - in fact, the only time you need to est this is if you need to break the system in a wierd way Files /etc/raddb/sites-enable/inner-tunnel and /etc/raddb/sites-enable/default authenticate { ntlm_auth ... } no no no. leave the inner-tunnel and default exactly as you found them - it will work out of the box. what guide were you following to get this working? I ask because if there is some document out there than it needs to be taken down. [r...@radiusserver etc]# ntlm_auth --request-nt-key --domain=MYDOMAINTEST --username=testuser01 --password=test NT_STATUS_OK: Success (0x0) good, that bits fine [r...@radiusserver /]# radtest testuser01 test localhost 0 teste123 Sending Access-Request of id 51 to 127.0.0.1 port 1812 User-Name = testuser01 User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=51, length=20 and all thats done is a basic PAP test. you'd need to use more advanced tools such as eapol_test from the wpa_supplicant package for actually simulating a standard Windows client that is doing an EAP method - with an EAP test your packets would be proxied into the inner-tunnel virtual server... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
$ man unlang This says put the string %{1} as the value of Stripped-User-Name. See the data types' section of the manual page, and the strings section. Got it ;) Thanks for your help, fixed now. btw. the unlang-way is quite more flexible than the legacy-module-way Was this problem even possible to solve without using unlang? (using freeradius 1.x for an example) _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: btw. the unlang-way is quite more flexible than the legacy-module-way Yes. That's why it was written. But there is still a need for the modules. Was this problem even possible to solve without using unlang? (using freeradius 1.x for an example) Likely not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
In a general regexp language, I guess that could be done with ([\w.-]+)(?...@.*). Most regexes don't support \w, or (?... constructs. Keep it simple: if (User-Name =~ /^(.*)@(.*)$/) { # name = %{1} # realm = %{2} } Makes sense now :) Thanks. man regex is written mostly descriptive, it's much easier to understand on examples like these, than on weeknights :D But I guess I missed to point with doing it this way, because: if (User-Name =~ /@mydomain.com/) { if (User-Name =~ /^(.*)@(.*)$/) { update request { Stripped-User-Name = %{1} } ldap } } doesn't work ^^ It gives: rlm_ldap - authorize rlmd_ldap: performing user authorization for %{1} ... Also, I tried to apply this directly in the ldap module configuration, different outcome, but also doesn't work. Where did I go wrong? -_- _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: But I guess I missed to point with doing it this way, because: if (User-Name =~ /@mydomain.com/) { if (User-Name =~ /^(.*)@(.*)$/) { update request { Stripped-User-Name = %{1} $ man unlang This says put the string %{1} as the value of Stripped-User-Name. See the data types' section of the manual page, and the strings section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: Although, now a new problem arrised - I can't seem to get the (stripped) username in the inner-tunnel with preprocess. So the username stays in the form - u...@mydomain.com, but that isn't usable for a LDAP search (on the AD). So... decode the user-name using a regex. You can then use that in the LDAP configuration. The LDAP user search is configurable for a *reason*. Because there are realms involved in the scenario. If the realm is mydomain.com then radius needs to lookup a user in AD. If the realm is mydomain2.com then it needs to consult sql. Otherwise it should proxy the request to a home server. What would be a proper way to do this? I thought setting up a virtual server for every scenario is the way to go? It's an option, but not the only way to do it. if (User-Name =~ /@mydomain.com/) { ldap } elsif (User-Name =~ /@mydomain2.com) { sql } else { update control { Proxy-To-Realm := other } } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: How should look like the ntlm_auth file ? How should look like mschap module ? How should look like parameter --require-membership-of in these files ? How should look like users file ? These answers I was not able to find in any documentation Read the URLs from the previous message. This *is* documented. If you can't find it, read the documentation again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for your answer Alan However I was not able to find in these links anything about the --require-membership-of and the vpn cisco client example (also find on these pages found nothing :) Anyway I will follow your advice and read the documentation on these links again Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: However I was not able to find in these links anything about the --require-membership-of See the man page for ntlm_auth. It is just a Unix command that can be run, like anything else. and the vpn cisco client example (also find on these pages found nothing :) That's a Cisco issue, for Cisco documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you alan, yes i can check the man page ( to be honest, that was i afraid of : ),but i was looking for the examples As i wrote in my first email, cisco is configured and working well with the IAS radius server. I was solving the freeradius againts the cisco. To be honest, i still cannot understand what should contain users file, and other files. One example how to configure the users file and other files would be enough winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: However I was not able to find in these links anything about the --require-membership-of See the man page for ntlm_auth. It is just a Unix command that can be run, like anything else. and the vpn cisco client example (also find on these pages found nothing :) That's a Cisco issue, for Cisco documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Thanks for your help Alan, it really makes a difference when learning about Freeradius configuration. So... decode the user-name using a regex. You can then use that in the LDAP configuration. The LDAP user search is configurable for a *reason*. I forgot to mention that I need the user portion of u...@mydomain.com for sql too. u...@mydomain.com only needs to be sent to the home server (in case the user doesn't have @mydomain.com or @mydomain2.com). In another words, both AD and DB contain usernames, without any realms. I've been reading http://freeradius.org/radiusd/man/unlang.html, and can't seem to figure out how to make the logic - take everything before @ as a username. So please help. In a general regexp language, I guess that could be done with ([\w.-]+)(?...@.*). It's an option, but not the only way to do it. if (User-Name =~ /@mydomain.com/) { ldap } elsif (User-Name =~ /@mydomain2.com/) { sql } else { update control { Proxy-To-Realm := other } } Works nicely, thanks for this hint. Matthew _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: I forgot to mention that I need the user portion of u...@mydomain.com for sql too. u...@mydomain.com only needs to be sent to the home server (in case the user doesn't have @mydomain.com or @mydomain2.com). In another words, both AD and DB contain usernames, without any realms. I've been reading http://freeradius.org/radiusd/man/unlang.html, and can't seem to figure out how to make the logic - take everything before @ as a username. So please help. See man regex for the regex format. In a general regexp language, I guess that could be done with ([\w.-]+)(?...@.*). Most regexes don't support \w, or (?... constructs. Keep it simple: if (User-Name =~ /^(.*)@(.*)$/) { # name = %{1} # realm = %{2} } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: Thank you alan, yes i can check the man page ( to be honest, that was i afraid of : ),but i was looking for the examples Please also edit your replies. There is no need to leave the original message at the top of your reply. As i wrote in my first email, cisco is configured and working well with the IAS radius server. I was solving the freeradius againts the cisco. To be honest, i still cannot understand what should contain users file, and other files. One example how to configure the users file and other files would be enough The users file contains documentation and *many* examples. There's no need to me to cut paste those examples on this list. You already have them in front of you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + Cisco authetication
On Fri, Jul 2, 2010 at 6:43 PM, Jevos, Peter peter.je...@oriflame.com wrote: Actually I’m not really clever, because main tutorial on the main pages is connected with the older version , and there are more version of the Freradius 2.0, a bit different: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://deployingradius.com/documents/configuration/active_directory.html That page has updated tutorials for 2.x Can somebody please help me how to finish the freeradius configuration ( the NAS server will be cisco ) I know that there should be the entries in users file, eap file, mschap or ntlm_aut modules. But what should be the proper syntax I really don’t know Which part did you find not clear from http://deployingradius.com/documents/configuration/active_directory.html? It clearly says which file(s) to edit/create. One note though, when it says Create a file raddb/modules/ntlm_auth, the actual location can vary on how you got freeradius installed. For example, with RHEL/Centos/Fedora and their bundled freradius2, the file location would be /etc/raddb/modules/ntlm_auth. On the other hand, if you installed manually from source, the file might be on /usr/local/etc/raddb/modules/ntlm_auth -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + AD + Cisco authetication
Hi thank you for your email. So as I said before , I have working ntlm_auth in the form of: Linux#/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=MYNAME --require-membership-of='DOMAIN+DOMAIN_GROUP' That works from the command line.It returns OK status So now, I have about 60 domains. Users are authenticated through VPN Cisco client with the domain\username and password. How should look like the ntlm_auth file ? How should look like mschap module ? How should look like parameter --require-membership-of in these files ? How should look like users file ? These answers I was not able to find in any documentation I'm using freeradius2-2.1.7-7.el5 ( RED HAT ) Thanks On Fri, Jul 2, 2010 at 6:43 PM, Jevos, Peter peter.je...@oriflame.com wrote: Actually I'm not really clever, because main tutorial on the main pages is connected with the older version , and there are more version of the Freradius 2.0, a bit different: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://deployingradius.com/documents/configuration/active_directory.html That page has updated tutorials for 2.x Can somebody please help me how to finish the freeradius configuration ( the NAS server will be cisco ) I know that there should be the entries in users file, eap file, mschap or ntlm_aut modules. But what should be the proper syntax I really don't know Which part did you find not clear from http://deployingradius.com/documents/configuration/active_directory.html? It clearly says which file(s) to edit/create. One note though, when it says Create a file raddb/modules/ntlm_auth, the actual location can vary on how you got freeradius installed. For example, with RHEL/Centos/Fedora and their bundled freradius2, the file location would be /etc/raddb/modules/ntlm_auth. On the other hand, if you installed manually from source, the file might be on /usr/local/etc/raddb/modules/ntlm_auth -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: How should look like the ntlm_auth file ? How should look like mschap module ? How should look like parameter --require-membership-of in these files ? How should look like users file ? These answers I was not able to find in any documentation Read the URLs from the previous message. This *is* documented. If you can't find it, read the documentation again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
realm mydomain.com { auth_pool = active_directory You'll need a line: nostrip To avoid EAP identity issues. This worked, thanks. Preprocess doesn't strip the username in the default server and EAP works. Although, now a new problem arrised - I can't seem to get the (stripped) username in the inner-tunnel with preprocess. So the username stays in the form - u...@mydomain.com, but that isn't usable for a LDAP search (on the AD). (btw. if I test without the realm portion of the scenario, like AD is the only source of authentication, it works) i.e. it doesn't proxy it. This *does* work in 2.1.9. So which version are you running? I'm sorry, it was my mistake. I configured proxy_requests = no, because I thought it was ment for a server when it was only proxying requests from other sources (since this option opens a special proxy-ing listening port). Fixed now, proxying to virtual server works. And why are you creating this complicated configuration? The inner-tunnel virtual server is set up *precisely* for this kind of authentication. You do EAP in the default server. Then, the inner-tunnel server gets the PAP password, and you can configure it to look the user up in AD there. Because there are realms involved in the scenario. If the realm is mydomain.com then radius needs to lookup a user in AD. If the realm is mydomain2.com then it needs to consult sql. Otherwise it should proxy the request to a home server. What would be a proper way to do this? I thought setting up a virtual server for every scenario is the way to go? TIA! _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: I'm new to FreeRadius, so please bear with me. :) Good questions are a very good start. Goal: Make FreeRadius look-up a user in ActiveDirectory if he has mydomain.com domain. Used method: EAP/TTLS (PAP in the tunnel) This is how I've done it, but it doesn't give the wanted results, so please explain a bit. :) (it doesn't seem to load the local_ad virtual server configuration, which is I placed in the sites-enabled directory, it seems to just carry on executing the default server) If you read the start of the debug output, it *should* show it loading the local_ad virtual server. The output below shows it not *proxying* the request to the local_ad virtual server. realm mydomain.com { auth_pool = active_directory You'll need a line: nostrip To avoid EAP identity issues. ... rlm_realm: Preparing to proxy authentication request to realm mydomain.com ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop There was no response configured: rejecting request 0 i.e. it doesn't proxy it. This *does* work in 2.1.9. So which version are you running? And why are you creating this complicated configuration? The inner-tunnel virtual server is set up *precisely* for this kind of authentication. You do EAP in the default server. Then, the inner-tunnel server gets the PAP password, and you can configure it to look the user up in AD there. In fact, you should only need to do the following: * start with the default config * uncomment ldap everywhere in raddb/sites-enabled/inner-tunnel * configure raddb/modules/ldap to point to AD * ensure you have the correct certificates for TTLS * TTLS + PAP *should* work The default configuration is designed to work in the widest possible set of circumstances, with a minimal set of changes required to add any common functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi, I have taken 1.1.6 version. why? oh dear why?!? 1.1.7 is the latest 1.1.x release and its there for many many reasons. i dont grab Linux 0.9 kernel if i want to run a Linux server. I am not very clear on configuring the files. First we are going to do dummy testing. for very very basic testing you only need to edit 3 files radiusd.conf - set the userid,groupid and listen directive (and thats it! leave the rest alone!) clients.conf - edit the 127.0.0.1 entry eg client 127.0.0.1 { secret = the_secret_i_put_into_clients.conf shortname = localhost nastype = other users - at the very top add a test user eg my_Test_user_00x1 Cleartext-Password := bigf439qyft789 that should be it. you can then use, eg radtest, to check its alive. so open 2 terminal windows... in one, type radiusd -X (to run freeradius in full debugging) and in the other type radtest my_Test_user_00x1 bigf439qyft789 localhost 1812 the_secret_i_put_into_clients.conf Can we give a file name as the argument in the command line while using radtest? If so How to use? man radclient radtest is a little more basic. its the 'basic freeradius 101' test tool alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
Whether the password given in Users file is a Encrypted password or normal? Whether the secret which I am configuring in clients.conf should be configured anywhere else? All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 31, 2007 1:49 PM To: FreeRadius users mailing list Subject: Re: freeradius + ad Hi, I have taken 1.1.6 version. why? oh dear why?!? 1.1.7 is the latest 1.1.x release and its there for many many reasons. i dont grab Linux 0.9 kernel if i want to run a Linux server. I am not very clear on configuring the files. First we are going to do dummy testing. for very very basic testing you only need to edit 3 files radiusd.conf - set the userid,groupid and listen directive (and thats it! leave the rest alone!) clients.conf - edit the 127.0.0.1 entry eg client 127.0.0.1 { secret = the_secret_i_put_into_clients.conf shortname = localhost nastype = other users - at the very top add a test user eg my_Test_user_00x1 Cleartext-Password := bigf439qyft789 that should be it. you can then use, eg radtest, to check its alive. so open 2 terminal windows... in one, type radiusd -X (to run freeradius in full debugging) and in the other type radtest my_Test_user_00x1 bigf439qyft789 localhost 1812 the_secret_i_put_into_clients.conf Can we give a file name as the argument in the command line while using radtest? If so How to use? man radclient radtest is a little more basic. its the 'basic freeradius 101' test tool alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
Whether the password given in Users file is a Encrypted password or normal? Clertext-Password is normal. Whether the secret which I am configuring in clients.conf should be configured anywhere else? On a client which is sending radius packets. With servers IP address. All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? Path is /usr/local/etc/raddb/ by default. Ivan Kalik Kalik Informatika iSP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
On a radius client device (switch, AP, router, server, ...) which is trying to authenticate the user. Ivan Kalik Kalik Informatika ISP Dana 31/8/2007, Pelluru Sujatha [EMAIL PROTECTED] piše: I did not get clearly where to configure the secret other than /usr/local/etc/raddb/clients.conf file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 31, 2007 2:39 PM To: FreeRadius users mailing list Subject: RE: freeradius + ad Whether the password given in Users file is a Encrypted password or normal? Clertext-Password is normal. Whether the secret which I am configuring in clients.conf should be configured anywhere else? On a client which is sending radius packets. With servers IP address. All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? Path is /usr/local/etc/raddb/ by default. Ivan Kalik Kalik Informatika iSP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi, Whether the password given in Users file is a Encrypted password or normal? your choice! Whether the secret which I am configuring in clients.conf should be configured anywhere else? yes - on the NAS itself. but if you're using radtest or radclient then that software is a virtual NAS so you use it with that tool. alan All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? heck! i dont know how you've configured your system mate! by default it would all be in /usr/local/etc/raddb if its installed via RPM or yum or yast or 'umwifolm' then it'll be where the package manager has decided it would be - /etc/raddb , /opt/freeradius/config/ , /usr/local/freeradius/etc/ etc etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi, I did not get clearly where to configure the secret other than /usr/local/etc/raddb/clients.conf file. unless (UNLESS) you are using some other NAS authentication method - eg sticking them into an SQL table for checking, clients.conf is the ONLY place where the NAS secret needs to be placed. that is the single place where freeradius reads to check the secrets for each NAS (or direct client talking to FR server - which are also known as NAS in that context) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: alan, do you already saw freeradius work with active directory?? do you have some example file? http://deployingradius.com/documents/configuration/active_directory.html BUT if you have ntlm_auth working from the command line, 99% of the work is done. Again, If ntlm_auth is telling the server that the MSCHAP authentication was invalid, then there isn't much that can be done to fix that. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
alan, do you already saw freeradius work with active directory?? do you have some example file? tkx On 8/31/07, Alan DeKok [EMAIL PROTECTED] wrote: Alexsander wrote: yes, i took it from the site freeradius.org, version 1.1.7, is correct? Yes... the changes in 1.1.2 (or so) mean that the entire command line isn't being printed out. That should be fixed. In the mean time, ntlm_auth is telling the server that the MSCHAP authentication was invalid. There isn't much that can be done to fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
I did not get clearly where to configure the secret other than /usr/local/etc/raddb/clients.conf file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 31, 2007 2:39 PM To: FreeRadius users mailing list Subject: RE: freeradius + ad Whether the password given in Users file is a Encrypted password or normal? Clertext-Password is normal. Whether the secret which I am configuring in clients.conf should be configured anywhere else? On a client which is sending radius packets. With servers IP address. All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? Path is /usr/local/etc/raddb/ by default. Ivan Kalik Kalik Informatika iSP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
I have taken 1.1.6 version. I am not very clear on configuring the files. First we are going to do dummy testing. What are the changes to be done on client and server configurations? Can we give a file name as the argument in the command line while using radtest? If so How to use? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, August 31, 2007 10:39 AM To: FreeRadius users mailing list Subject: Re: freeradius + ad Alexsander wrote: yes, i took it from the site freeradius.org, version 1.1.7, is correct? Yes... the changes in 1.1.2 (or so) mean that the entire command line isn't being printed out. That should be fixed. In the mean time, ntlm_auth is telling the server that the MSCHAP authentication was invalid. There isn't much that can be done to fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
yes, i took it from the site freeradius.org, version 1.1.7, is correct? On 8/30/07, Alan DeKok [EMAIL PROTECTED] wrote: Alexsander wrote: 1 - but freeradius don't prints out any message using ntlm_auth (except this one: mschap: ntlm_auth = /usr/bin/ntlm_auth...%{ntdomain} ...) Are you sure you're running a recent version? It SHOULD be printing out the entire ntlm_auth command. 2 - the windows machine already on the network and logged on (with my username), i'm just swap swtch port that this machine is connected - swapping between port 15 (without authentication) and port 16 (with authentication) - and keep a ping -t 10.134.64.1 on screen to see when connection is lost when I do Then I suspect that the ntlm_auth command you've configured is wrong, or isn't being used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: yes, i took it from the site freeradius.org, version 1.1.7, is correct? Yes... the changes in 1.1.2 (or so) mean that the entire command line isn't being printed out. That should be fixed. In the mean time, ntlm_auth is telling the server that the MSCHAP authentication was invalid. There isn't much that can be done to fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: how can I could know what kind of error it is? What part of the error message is unclear? AD account is ok (I'm using that) the password works fine when I run ntlm_auth command manually: ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: (Success) Which is completely different than what is output in debugging mode, isn't it? Try taking the ntlm_auth command line that FreeRADIUS prints out in debugging mode, and running it from the CLI. It won't work. The user entered a wrong password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
1 - but freeradius don't prints out any message using ntlm_auth (except this one: mschap: ntlm_auth = /usr/bin/ntlm_auth...%{ntdomain} ...) 2 - the windows machine already on the network and logged on (with my username), i'm just swap swtch port that this machine is connected - swapping between port 15 (without authentication) and port 16 (with authentication) - and keep a ping -t 10.134.64.1 on screen to see when connection is lost when I do tkx On 8/29/07, Alan DeKok [EMAIL PROTECTED] wrote: Alexsander wrote: how can I could know what kind of error it is? What part of the error message is unclear? AD account is ok (I'm using that) the password works fine when I run ntlm_auth command manually: ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: (Success) Which is completely different than what is output in debugging mode, isn't it? Try taking the ntlm_auth command line that FreeRADIUS prints out in debugging mode, and running it from the CLI. It won't work. The user entered a wrong password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: 1 - but freeradius don't prints out any message using ntlm_auth (except this one: mschap: ntlm_auth = /usr/bin/ntlm_auth...%{ntdomain} ...) Are you sure you're running a recent version? It SHOULD be printing out the entire ntlm_auth command. 2 - the windows machine already on the network and logged on (with my username), i'm just swap swtch port that this machine is connected - swapping between port 15 (without authentication) and port 16 (with authentication) - and keep a ping -t 10.134.64.1 on screen to see when connection is lost when I do Then I suspect that the ntlm_auth command you've configured is wrong, or isn't being used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi Alan, how can I could know what kind of error it is? AD account is ok (I'm using that) the password works fine when I run ntlm_auth command manually: ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: (Success) On 8/24/07, Alan DeKok [EMAIL PROTECTED] wrote: Alexsander wrote: Hi Alan, this is complete log captured using: ... radius_xlat: '--nt-response=b5064e14567ab057f0757ee512947c1a900138564585ef02' Exec-Program output: Logon failure (0xc06d) Yes, there's a lot of output in debugging mode. Read it. You're running ntlm_auth, and it's returning login failure. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: Hi Alan, this is complete log captured using: ... radius_xlat: '--nt-response=b5064e14567ab057f0757ee512947c1a900138564585ef02' Exec-Program output: Logon failure (0xc06d) Yes, there's a lot of output in debugging mode. Read it. You're running ntlm_auth, and it's returning login failure. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
hi joe, see this: s8860ru01:/etc# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 07:35:26, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/etc# isn't means that ntlm_auth is working? On 8/16/07, Joe Vieira [EMAIL PROTECTED] wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. those are prolly the lines of interest, your ntlm_auth is failing. try it via the command line, once you get it working via the command line you'll have a MUCH better chance of it working in freeradius. hints are kinit - get that working also get wbinfo -u listing your domain users Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi, hi joe, see this: s8860ru01:/etc# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 07:35:26, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/etc# isn't means that ntlm_auth is working? yes - when used with those commands. On 8/16/07, Joe Vieira [EMAIL PROTECTED] wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. this shows a login failure with ntlm_auth. check out the debug to see why. it could be that the username or domain is being passed incorrectly alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
tks alan! there is some way to force log show me what parameter it has passing to ntlm_auth bin? On 8/17/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, hi joe, see this: s8860ru01:/etc# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 07:35:26, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/etc# isn't means that ntlm_auth is working? yes - when used with those commands. On 8/16/07, Joe Vieira [EMAIL PROTECTED] wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. this shows a login failure with ntlm_auth. check out the debug to see why. it could be that the username or domain is being passed incorrectly alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
hi alan, when I captured log I was using radiusd -X -A -y -z output.log another thing: I capture some pieces of output log: radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: '--domain=REFAP' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=dadfh9' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: c6 radius_xlat: '--challenge=8fd10da49268b4b6' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=aed525bc59e35522e8cf9fff11c533d9c5c866d6eb0f47c1' and did another test: s8860ru01:/tmp# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 --challenge=8fd10da49268b4b6 --nt-response=aed525bc59e35522e8cf9fff11c533d9c5c866d6eb0f47c1 Logon failure (0xc06d) -logon error again s8860ru01:/tmp# s8860ru01:/tmp# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 14:47:06, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/tmp# it's like wrong response or challenge ou some kind of hash. ps.: on output.log I saw this lines: mschap: with_ntdomain_hack = yes mschapv2: with_ntdomain_hack = no - this must be yes or not? preprocess: with_ntdomain_hack = no On 8/17/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: hi, last time i checked i'm sure its printed in full debug mode : radiusd -X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
hi alan, enabling log_goodpass and log_badpass I took this lines: rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. Login incorrect (rlm_mschap: Logon failure (0xc06d)): [REFAP\\dadfh9/no User-Password attribute] (from client localhost port 0) this means that ntlm_auth isn't receiving password parameter?? On 8/17/07, Alexsander [EMAIL PROTECTED] wrote: hi alan, when I captured log I was using radiusd -X -A -y -z output.log another thing: I capture some pieces of output log: radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: '--domain=REFAP' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=dadfh9' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: c6 radius_xlat: '--challenge=8fd10da49268b4b6' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=aed525bc59e35522e8cf9fff11c533d9c5c866d6eb0f47c1' and did another test: s8860ru01:/tmp# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 --challenge=8fd10da49268b4b6 --nt-response=aed525bc59e35522e8cf9fff11c533d9c5c866d6eb0f47c1 Logon failure (0xc06d) -logon error again s8860ru01:/tmp# s8860ru01:/tmp# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 14:47:06, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/tmp# it's like wrong response or challenge ou some kind of hash. ps.: on output.log I saw this lines: mschap: with_ntdomain_hack = yes mschapv2: with_ntdomain_hack = no - this must be yes or not? preprocess: with_ntdomain_hack = no On 8/17/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: hi, last time i checked i'm sure its printed in full debug mode : radiusd -X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: hi alan, enabling log_goodpass and log_badpass I took this lines: rlm_mschap: External script failed. And right before that in the log it shows you WHAT script it's running, and WHY it failed. If you want to solve the problem, don't delete every piece of useful information from the logs you post to the list. The debug output shows you the ntlm_auth command that the server is running. Since it works when you run it from the command line, the obvious next step is to _compare_ the two. Then, if there are differences, make the BROKEN one more like the WORKING one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. those are prolly the lines of interest, your ntlm_auth is failing. try it via the command line, once you get it working via the command line you'll have a MUCH better chance of it working in freeradius. hints are kinit - get that working also get wbinfo -u listing your domain users Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
Hello All, Could some one please tell me why ntlm_auth resurning OK with out looking up the ADS . I couldnt understand the debug. On 5/1/07, shrikant Bhat [EMAIL PROTECTED] wrote: Alan, My intention is not argue, since I coudnt understand the debug I posted the messege. On 4/30/07, Alan DeKok [EMAIL PROTECTED] wrote: shrikant Bhat wrote: I dont have the user in Active directory, yet free radius sends a accept packet. I did read the debug output, unlike you. It shows why. I told you why. Stop arguing and read the debug output again, and my responses. It's not FreeRADIUS. You have configured FreeRADIUS to reply with an Access-Accept if the ntlm_auth module returns OK. For some reason, the ntlm_auth is returning OK. Go find out why that's happening, and fix it. Do NOT reply with but freeradius sends an access accept. That reply indicates that you're not reading the messages here. If you're not going to read the answers to your questions, I suggest you stop asking the questions. You're wasting your time, and ours. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: Hello All, Could some one please tell me why ntlm_auth resurning OK with out looking up the ADS . Ask the people who wrote ntlm_auth? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
Sorry I forgot to attach the radiusd.conf and debug results *** .. prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = ${logdir}/radius.log libdir = /usr/local/lib pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 # max_requests = 1024 # bind_address = * # port = 0 # hostname_lookups = no # allow_core_dumps = no # Regular expressions # regular_expressions = yes extended_expressions= yes # Log the full User-Name attribute, as it was found in the request. # log_stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = no # Log passwords with the authentication requests. # log_auth_badpass - logs password if it's rejected # log_auth_goodpass - logs password if it's correct # # allowed values: {no, yes} # log_auth_badpass = no log_auth_goodpass = no usercollide = no # lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad # security { max_attributes = 200 reject_delay = 1 status_server = no } $INCLUDE ${confdir}/clients.conf # SNMP CONFIGURATION snmp= no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 # min_spare_servers = 3 max_spare_servers = 10 # There may be memory leaks or resource allocation problems with max_requests_per_server = 0 } # MODULE CONFIGURATION # # The names and configuration of each module is located in this section. # # After the modules are defined here, they may be referred to by name, # in other sections of this configuration file. # modules { exec ntlm_auth { wait = no program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN.ORG --username=%{mschap:User-Name} --password=%{User-Password} } # pap { encryption_scheme = crypt } chap { authtype = CHAP } $INCLUDE ${confdir}/eap.conf mschap { # authtype = MS-CHAP # ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-MYDOMAIN.ORG} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } checkval { # The attribute to look for in the request item-name = Calling-Station-Id # The attribute to look for in check items. Can be multi valued check-name = Calling-Station-Id # The data type. Can be # string,integer,ipaddr,date,abinary,octets data-type = string # If set to yes and we dont find the item-name attribute in the # request then we send back a reject # DEFAULT is no #notfound-reject = no } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = yes } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = no } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } expr { } exec {
Re: FreeRadius+AD integration
It must be you. so your are the right person to tell me what is causing ntlm_auth to send OK. SB On 5/2/07, Alan DeKok [EMAIL PROTECTED] wrote: shrikant Bhat wrote: Hello All, Could some one please tell me why ntlm_auth resurning OK with out looking up the ADS . Ask the people who wrote ntlm_auth? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: It must be you. so your are the right person to tell me what is causing ntlm_auth to send OK. Umm... no. 10 seconds of reading documentation would lead you to conclude that ntlm_auth is part of the Samba project. I am not part of the Samba project. Start reading documentation. Stop asking questions on this list about ntlm_auth. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius+AD integration
Why not try this? Worked for us. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Note that the first thing configured is the Samba server. It doesn't even mention installing the Freeradius server until after the Samba configuration is completed. Hi, It must be you. so your are the right person to tell me what is causing ntlm_auth to send OK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
The deploying freeradius + AD is an excellent guide for the ntlm_auth method. Im guessing it is because your ntlm_auth command is commented out in the mschap part On 5/2/07, Danner, Mearl [EMAIL PROTECTED] wrote: Why not try this? Worked for us. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Note that the first thing configured is the Samba server. It doesn't even mention installing the Freeradius server until after the Samba configuration is completed. Hi, It must be you. so your are the right person to tell me what is causing ntlm_auth to send OK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
Alan, My intention is not argue, since I coudnt understand the debug I posted the messege. On 4/30/07, Alan DeKok [EMAIL PROTECTED] wrote: shrikant Bhat wrote: I dont have the user in Active directory, yet free radius sends a accept packet. I did read the debug output, unlike you. It shows why. I told you why. Stop arguing and read the debug output again, and my responses. It's not FreeRADIUS. You have configured FreeRADIUS to reply with an Access-Accept if the ntlm_auth module returns OK. For some reason, the ntlm_auth is returning OK. Go find out why that's happening, and fix it. Do NOT reply with but freeradius sends an access accept. That reply indicates that you're not reading the messages here. If you're not going to read the answers to your questions, I suggest you stop asking the questions. You're wasting your time, and ours. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
Hi, Any one who can help me with this ? thanks in advance SB On 4/27/07, shrikant Bhat [EMAIL PROTECTED] wrote: On Line 154 I have default Auth-Type = ntlm_auth. If I comment this out I get the Access-reject packet. thanks, SB On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Well, it matched something in the users file: users: Matched entry DEFAULT at line 154 Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . thanks for the help. * rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 154 modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 modcall: leaving group authenticate (returns ok) for request 3 Sending Access-Accept of id 100 to 127.0.0.1 port 32779 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 100 with timestamp 4631d1f0 Nothing to do. Sleeping until we see a request. On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Error seems to be because shared secret is testing123 not testing 123. But you need to paste output od radiusd-X after Access-Request. Open two ssh sessions and do radtest from one and radiusd -X from the other. Ivan Kalik Kalik Informatika ISP Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: I get this error [EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123 Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20 rad_verify: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log
Re: FreeRadius+AD integration
shrikant Bhat wrote: ... Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . Have you read the debug output? ... radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 What part of that is unclear? You think the user isn't in Active Directory. Yet ntlm_auth is returning that the user is in AD. Either the user is in AD, or ntlm_auth is doing something magical. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
I dont have the user in Active directory, yet free radius sends a accept packet. thanks On 4/30/07, Alan DeKok [EMAIL PROTECTED] wrote: shrikant Bhat wrote: ... Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . Have you read the debug output? ... radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 What part of that is unclear? You think the user isn't in Active Directory. Yet ntlm_auth is returning that the user is in AD. Either the user is in AD, or ntlm_auth is doing something magical. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: I dont have the user in Active directory, yet free radius sends a accept packet. I did read the debug output, unlike you. It shows why. I told you why. Stop arguing and read the debug output again, and my responses. It's not FreeRADIUS. You have configured FreeRADIUS to reply with an Access-Accept if the ntlm_auth module returns OK. For some reason, the ntlm_auth is returning OK. Go find out why that's happening, and fix it. Do NOT reply with but freeradius sends an access accept. That reply indicates that you're not reading the messages here. If you're not going to read the answers to your questions, I suggest you stop asking the questions. You're wasting your time, and ours. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded exec exec: wait = no exec: program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name} --password=%{User-Password} exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) Module: Instantiated exec (ntlm_auth) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = cistron [/etc/raddb/users]:1 Cistron compatibility checks for entry raduser ... [/etc/raddb/users]:153 Cistron compatibility checks for entry DEFAULT ... ?Changing 'Auth-Type =' to 'Auth-Type +=' [/etc/raddb/users]:172 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/users]:184 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/users]:191 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/users]:198 Cistron compatibility checks for entry DEFAULT ... Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = /var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp:
Re: FreeRadius+AD integration
And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded exec exec: wait = no exec: program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name} --password=%{User-Password} exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) Module: Instantiated exec (ntlm_auth) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = cistron [/etc/raddb/users]:1 Cistron compatibility checks for entry raduser ... [/etc/raddb/users]:153 Cistron compatibility checks for entry DEFAULT ... ?Changing 'Auth-Type =' to 'Auth-Type +=' [/etc/raddb/users]:172 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/users]:184 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/users]:191 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/users]:198 Cistron compatibility checks for entry DEFAULT ... Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = /var/log/radius/radutmp radutmp: username =
Re: FreeRadius+AD integration
Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . thanks for the help. * rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 154 modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 modcall: leaving group authenticate (returns ok) for request 3 Sending Access-Accept of id 100 to 127.0.0.1 port 32779 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 100 with timestamp 4631d1f0 Nothing to do. Sleeping until we see a request. On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Error seems to be because shared secret is testing123 not testing 123. But you need to paste output od radiusd-X after Access-Request. Open two ssh sessions and do radtest from one and radiusd -X from the other. Ivan Kalik Kalik Informatika ISP Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: I get this error [EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123 Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20 rad_verify: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon.
Re: FreeRadius+AD integration
On Line 154 I have default Auth-Type = ntlm_auth. If I comment this out I get the Access-reject packet. thanks, SB On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Well, it matched something in the users file: users: Matched entry DEFAULT at line 154 Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . thanks for the help. * rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 154 modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 modcall: leaving group authenticate (returns ok) for request 3 Sending Access-Accept of id 100 to 127.0.0.1 port 32779 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 100 with timestamp 4631d1f0 Nothing to do. Sleeping until we see a request. On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Error seems to be because shared secret is testing123 not testing 123. But you need to paste output od radiusd-X after Access-Request. Open two ssh sessions and do radtest from one and radiusd -X from the other. Ivan Kalik Kalik Informatika ISP Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: I get this error [EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123 Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20 rad_verify: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user
Re: FreeRadius+AD integration
Well, it matched something in the users file: users: Matched entry DEFAULT at line 154 Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . thanks for the help. * rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 154 modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 modcall: leaving group authenticate (returns ok) for request 3 Sending Access-Accept of id 100 to 127.0.0.1 port 32779 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 100 with timestamp 4631d1f0 Nothing to do. Sleeping until we see a request. On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Error seems to be because shared secret is testing123 not testing 123. But you need to paste output od radiusd-X after Access-Request. Open two ssh sessions and do radtest from one and radiusd -X from the other. Ivan Kalik Kalik Informatika ISP Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pie: I get this error [EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123 Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20 rad_verify: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0
Re: FreeRadius+AD integration
Hi, radius.conf as per the instructions, but radtest fails with Access-Reject .I have attached the debug window output for reference. no you havent. you've attached a tiny snippet of the debug output. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user but at least it shows this bit - how are you attempting to authenticate and WHAT are you attempting to authenticate? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: Hi, I am trying to integrate freeradius with ADS 2003. I reffred to http://deployingradius.com/documents/configuration/active_directory.html http://deployingradius.com/documents/configuration/active_directory.html. everything works perfectly fine till ( $ ntlm_auth --request-nt-key --domain=*MYDOMAIN* --username=*user* --password=*password*) I get NT_STATUS_OK. I dont see NT_KEY output. I made changes to exec module in radius.conf as per the instructions, but radtest fails with Access-Reject .I have attached the debug window output for reference. You did not add the ntlm_auth entry to the authenticate section, as the web page says. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
I tried with the following in the authenticate section Auth-Type ntlm_auth { mschap am not sure about the protocol i need to use here } I have attached the debug window output ** rad_recv: Access-Request packet from host 127.0.0.1:32928, id=202, length=57 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 214 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module mschap returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request *** All I want to do is authenticate my cisco device logins using ads id and password. I am novice to radius,please help. thank you regards sb On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: shrikant Bhat wrote: Hi, I am trying to integrate freeradius with ADS 2003. I reffred to http://deployingradius.com/documents/configuration/active_directory.html http://deployingradius.com/documents/configuration/active_directory.html. everything works perfectly fine till ( $ ntlm_auth --request-nt-key --domain=*MYDOMAIN* --username=*user* --password=*password*) I get NT_STATUS_OK. I dont see NT_KEY output. I made changes to exec module in radius.conf as per the instructions, but radtest fails with Access-Reject .I have attached the debug window output for reference. You did not add the ntlm_auth entry to the authenticate section, as the web page says. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: I tried with the following in the authenticate section Auth-Type ntlm_auth { mschap am not sure about the protocol i need to use here The web page says to just put ntlm_auth in the authenticate section. It doesn't say you need Auth-Type, and it doesn't say to put mschap in it, either. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
My apologies for that mistake.. I have the following lines in modules section exec ntlm_auth { wait = no program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name} --password=%{User-Password} and I have ntlm_auth listed in authenticate section while running radiusd -X I get the following error. * [EMAIL PROTECTED] raddb]# /usr/sbin/radiusd -X -y Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) exec: wait = no exec: program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name} --password=%{User-Password} exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) Module: Instantiated exec (ntlm_auth) radiusd.conf[1685] Unknown Auth-Type exec in authenticate section. *** thanks for the help in advance. SB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: My apologies for that mistake.. I have the following lines in modules section exec ntlm_auth { wait = no program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name} --password=%{User-Password} and I have ntlm_auth listed in authenticate section No, you don't. You listed exec, not ntlm_auth. Please follow the instructions. If you are not going to follow the instructions, then do not be surprised that it doesn't work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD/LDAP + basedn
On Thu, 7 Oct 2004, Michael Benton wrote: Hello, FreeRadius 1.0.1 Linux RHES3.1 Does anyone know how to configure the FreeRadius server to to a LDAP query on a Win2003 AD server, and to look at the whole AD tree ? We have for some unknown reason, multiple OU's with users in each, rather than one OU in which all users are configured. If I set the basedn to a particular OU - i can authenticate users OK, but when I set it back to the top level dc=ukcl,dc=net the auth fail with user unknown ? I have used a LDAP browser to do a search from the same basedn=dc=ukcl,dc=net, with the subtree option active, and it finds the users OK. How do you specify the subtree option in the radiusd.conf file ? do if have to include ou=* as below ? Any hints would be greatly appreciated. ldap { server = hqdc1.ukcl.net identity = cn=freeradius,ou=Administrators,dc=ukcl,dc=net password = pExF%5Yf basedn = dc=ukcl,dc=net filter = ((ou=*)(objectClass=person)(samaccountname=%{User-Name})) . } I do not have OpenLDAP installed on my linux box. Do i need this installed ? even though i am directing queries to the Win2003 server directly ? Take a look at Global Catalog, see the list archives for details. Thanks Michael Benton E-mail scanned for all viruses by Star Internet, powered by MessageLabs - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS+AD help
On 6/15/04 7:18 PM, Veerabhushan Hatte at [EMAIL PROTECTED] wrote: I was going through the mail responses and I am facing some problem for the same configuration. I have few questions and your help is greatly appreciated. 1. Do I need enable pam authentication to use LDAP? I don't think so. We do not have PAM active on our instance of radiusd. 2. If I need to use pam, do I need to install OpenLDAP to run LDAP on freeRADIUS? I think you may need openLDAP installed when you compile radiusd. We run radiusd on OSX so we already had LDAP installed. I think I saw your original email that you were having trouble starting radiusd and one user suggested that you needed openLDAP prior to compilation. If it does in fact now start, you can use the follwing edits to adjust you configs. Our works like a charm now. One pitfall we had is that when the user is looked up in AD, the cn= LDAP property looks at AD's Display Name. This means that if Michael Check is logging in as [EMAIL PROTECTED], the Display Name in AD must also be the same as the account name (user name). The default in AD is to set cn as 'Michael Check'. You need to change it to 'mcheck'. The same goes for the account that radiusd uses to look up the information in the AD. In our case ldapuser and radiusserver. We still haven't figured out if there is an LDAP property that maps the username to AD's account (user) name. If you or others know of it, I'd like to know. If you could send me the configuration file for LDAP configuration, it would be really helpful. The following setup allows users to be authenticated off 2 diff AD LDAP servers depending on the domain (realm). Users without a domain are athenticated off the first AD LDAP server. The requests come from a ras and a vpn concentrator on the foo1 network to radiusd which is also on the foo1 network. We use the AD property access_attr=msNPAllowDialin to determine whether the user can log in. This is the boolean in AD whether to allow VPN/Dial-in under the account properties. clients.conf # client 192.168.2.28 { secret= secretpass shortname= vpn.foo1.com nastype= cisco } client 192.168.2.29 { secret= secretpass shortname= ras.foo1.com nastype= patton } # proxy.conf realm foo1.com { type= radius authhost= LOCAL accthost= LOCAL } realm foo2.com { type= radius authhost= LOCAL accthost= LOCAL } users # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # #DEFAULTAuth-Type := system #Fall-Through = 1 # # Setup all accounts to be checked against the MAI-LDAP module # This is for users that do not specify a realm (ie. @foo.com) # DEFAULTAutz-Type := FOO1 Auth-Type := FOO1, Fall-Through = 1 DEFAULT Realm == NULL, Autz-Type := FOO1, Auth-Type := FOO1 DEFAULT Realm == foo1.com, Autz-Type := FOO1, Auth-Type := FOO1 DEFAULTRealm == foo2.com, Autz-Type := FOO2, Auth-Type := FOO2 radiusd.conf # Lightweight Directory Access Protocol (LDAP) # # This module definition allows you to use LDAP for # authorization and authentication (Auth-Type := LDAP) # # See doc/rlm_ldap for description of configuration options # and sample authorize{} and authenticate{} blocks ldap FOO1 { server = 192.168.2.5 identity = cn=ldapuser,cn=users,dc=foo1,dc=com password = foopass basedn = cn=users,dc=foo1,dc=com filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) access_attr=msNPAllowDialin password_attribute=userPassword # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. start_tls = no # set this to 'yes' to use TLS encrypted connections to the # LDAP database by passing the LDAP_OPT_X_TLS_TRY option to # the ldap library. tls_mode = no # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn #access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 5 # password_header = {clear} # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupO fUniqueNames)(uniquemember=%{Ldap-UserDn}))) # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes #