Re: FreeRadius + AD
Does this help? http://deployingradius.com/documents/configuration/active_directory.html -- Blake Covarrubias On Nov 8, 2012, at 3:09 PM, Maiquel Consalter maiquelconsal...@gmail.com wrote: Hi, Someone can tell me where I can find a step-by-step instructions on freeradius + Active Directory ? Thank´s -- Att, Maiquel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD
On 8 Nov 2012, at 22:09, Maiquel Consalter maiquelconsal...@gmail.com wrote: Hi, Someone can tell me where I can find a step-by-step instructions on freeradius + Active Directory ? http://lmgtfy.com/?q=deploying+freeradius+with+activedirectory -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + WiFi + EAP
Kleber Larroyd wrote: If you can't be bothered to explain *why* you're doing this, and *what* is going wrong, then we can't be bothered to read the reams of data you posted. It also helps to *read* the debug output. Really. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + WiFi + EAP
On 09/13/2010 10:35 AM, Kleber Larroyd wrote: Have any idea ? Where can i find the solution ? When i trying connect (windows vista) freeradius server *with wireless over access point* i get this error: In the future please follow the instructions to send the *complete* output of radiusd -X *only*. Also please read the debug output before asking for help, you answer is in the output. Mon Sep 13 10:34:23 2010 : Info: [pap] WARNING! No known good password found for the user. Authentication may fail because of this. Mon Sep 13 10:34:23 2010 : Debug: rlm_eap_leap: No Cleartext-Password or NT-Password configured for this user No password means you didn't configure authorization in the inner-tunnel. You test only worked because it wasn't doing TLS and hence never entered the inner-tunnel virtual server. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + WiFi + EAP
Hi,
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
personally, I'd advise that you set those to yes rather than no.
File /etc/raddb/users
DEFAULT Auth-Type = ntlm_auth
you dont need to do this. ever. we do PEAP and dont have such a line - in fact,
the only time you need to est this is if you need to break the system in a wierd
way
Files /etc/raddb/sites-enable/inner-tunnel and /etc/raddb/sites-enable/default
authenticate {
ntlm_auth
...
}
no no no. leave the inner-tunnel and default exactly as you found them - it
will work out
of the box. what guide were you following to get this working? I ask because
if there
is some document out there than it needs to be taken down.
[r...@radiusserver etc]# ntlm_auth --request-nt-key --domain=MYDOMAINTEST
--username=testuser01 --password=test
NT_STATUS_OK: Success (0x0)
good, that bits fine
[r...@radiusserver /]# radtest testuser01 test localhost 0 teste123
Sending Access-Request of id 51 to 127.0.0.1 port 1812
User-Name = testuser01
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=51, length=20
and all thats done is a basic PAP test. you'd need to use more advanced tools
such as eapol_test
from the wpa_supplicant package for actually simulating a standard Windows
client that is
doing an EAP method - with an EAP test your packets would be proxied into the
inner-tunnel
virtual server...
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
$ man unlang
This says put the string %{1} as the value of Stripped-User-Name.
See the data types' section of the manual page, and the strings section.
Got it ;)
Thanks for your help, fixed now.
btw. the unlang-way is quite more flexible than the legacy-module-way
Was this problem even possible to solve without using unlang? (using freeradius
1.x for an example)
_
Hotmail: Powerful Free email with security by Microsoft.
https://signup.live.com/signup.aspx?id=60969
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: btw. the unlang-way is quite more flexible than the legacy-module-way Yes. That's why it was written. But there is still a need for the modules. Was this problem even possible to solve without using unlang? (using freeradius 1.x for an example) Likely not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
In a general regexp language, I guess that could be done with
([\w.-]+)(?...@.*).
Most regexes don't support \w, or (?... constructs.
Keep it simple:
if (User-Name =~ /^(.*)@(.*)$/) {
# name = %{1}
# realm = %{2}
}
Makes sense now :) Thanks.
man regex is written mostly descriptive, it's much easier to understand on
examples like these, than on weeknights :D
But I guess I missed to point with doing it this way, because:
if (User-Name =~ /@mydomain.com/) {
if (User-Name =~ /^(.*)@(.*)$/) {
update request {
Stripped-User-Name = %{1}
}
ldap
}
}
doesn't work ^^
It gives:
rlm_ldap - authorize
rlmd_ldap: performing user authorization for %{1}
...
Also, I tried to apply this directly in the ldap module configuration,
different outcome, but also doesn't work.
Where did I go wrong? -_-
_
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote:
But I guess I missed to point with doing it this way, because:
if (User-Name =~ /@mydomain.com/) {
if (User-Name =~ /^(.*)@(.*)$/) {
update request {
Stripped-User-Name = %{1}
$ man unlang
This says put the string %{1} as the value of Stripped-User-Name.
See the data types' section of the manual page, and the strings
section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote:
Although, now a new problem arrised - I can't seem to get the (stripped)
username in the inner-tunnel with preprocess.
So the username stays in the form - u...@mydomain.com, but that isn't
usable for a LDAP search (on the AD).
So... decode the user-name using a regex. You can then use that in
the LDAP configuration. The LDAP user search is configurable for a
*reason*.
Because there are realms involved in the scenario.
If the realm is mydomain.com then radius needs to lookup a user in AD.
If the realm is mydomain2.com then it needs to consult sql.
Otherwise it should proxy the request to a home server.
What would be a proper way to do this? I thought setting up a virtual server
for every scenario is the way to go?
It's an option, but not the only way to do it.
if (User-Name =~ /@mydomain.com/) {
ldap
}
elsif (User-Name =~ /@mydomain2.com) {
sql
}
else {
update control {
Proxy-To-Realm := other
}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: How should look like the ntlm_auth file ? How should look like mschap module ? How should look like parameter --require-membership-of in these files ? How should look like users file ? These answers I was not able to find in any documentation Read the URLs from the previous message. This *is* documented. If you can't find it, read the documentation again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for your answer Alan However I was not able to find in these links anything about the --require-membership-of and the vpn cisco client example (also find on these pages found nothing :) Anyway I will follow your advice and read the documentation on these links again Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: However I was not able to find in these links anything about the --require-membership-of See the man page for ntlm_auth. It is just a Unix command that can be run, like anything else. and the vpn cisco client example (also find on these pages found nothing :) That's a Cisco issue, for Cisco documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you alan, yes i can check the man page ( to be honest, that was i afraid of : ),but i was looking for the examples As i wrote in my first email, cisco is configured and working well with the IAS radius server. I was solving the freeradius againts the cisco. To be honest, i still cannot understand what should contain users file, and other files. One example how to configure the users file and other files would be enough winmail.dat- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: However I was not able to find in these links anything about the --require-membership-of See the man page for ntlm_auth. It is just a Unix command that can be run, like anything else. and the vpn cisco client example (also find on these pages found nothing :) That's a Cisco issue, for Cisco documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Thanks for your help Alan, it really makes a difference when learning about
Freeradius configuration.
So... decode the user-name using a regex. You can then use that in
the LDAP configuration. The LDAP user search is configurable for a
*reason*.
I forgot to mention that I need the user portion of u...@mydomain.com for
sql too.
u...@mydomain.com only needs to be sent to the home server (in case the user
doesn't have @mydomain.com or @mydomain2.com). In another words, both AD
and DB contain usernames, without any realms.
I've been reading http://freeradius.org/radiusd/man/unlang.html, and can't seem
to figure out how to make the logic - take everything before @ as a username.
So please help.
In a general regexp language, I guess that could be done with
([\w.-]+)(?...@.*).
It's an option, but not the only way to do it.
if (User-Name =~ /@mydomain.com/) {
ldap
}
elsif (User-Name =~ /@mydomain2.com/) {
sql
}
else {
update control {
Proxy-To-Realm := other
}
}
Works nicely, thanks for this hint.
Matthew
_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote:
I forgot to mention that I need the user portion of u...@mydomain.com for
sql too.
u...@mydomain.com only needs to be sent to the home server (in case the
user doesn't have @mydomain.com or @mydomain2.com). In another words,
both AD and DB contain usernames, without any realms.
I've been reading http://freeradius.org/radiusd/man/unlang.html, and can't
seem to figure out how to make the logic - take everything before @ as a
username. So please help.
See man regex for the regex format.
In a general regexp language, I guess that could be done with
([\w.-]+)(?...@.*).
Most regexes don't support \w, or (?... constructs.
Keep it simple:
if (User-Name =~ /^(.*)@(.*)$/) {
# name = %{1}
# realm = %{2}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: Thank you alan, yes i can check the man page ( to be honest, that was i afraid of : ),but i was looking for the examples Please also edit your replies. There is no need to leave the original message at the top of your reply. As i wrote in my first email, cisco is configured and working well with the IAS radius server. I was solving the freeradius againts the cisco. To be honest, i still cannot understand what should contain users file, and other files. One example how to configure the users file and other files would be enough The users file contains documentation and *many* examples. There's no need to me to cut paste those examples on this list. You already have them in front of you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + Cisco authetication
On Fri, Jul 2, 2010 at 6:43 PM, Jevos, Peter peter.je...@oriflame.com wrote: Actually I’m not really clever, because main tutorial on the main pages is connected with the older version , and there are more version of the Freradius 2.0, a bit different: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://deployingradius.com/documents/configuration/active_directory.html That page has updated tutorials for 2.x Can somebody please help me how to finish the freeradius configuration ( the NAS server will be cisco ) I know that there should be the entries in users file, eap file, mschap or ntlm_aut modules. But what should be the proper syntax I really don’t know Which part did you find not clear from http://deployingradius.com/documents/configuration/active_directory.html? It clearly says which file(s) to edit/create. One note though, when it says Create a file raddb/modules/ntlm_auth, the actual location can vary on how you got freeradius installed. For example, with RHEL/Centos/Fedora and their bundled freradius2, the file location would be /etc/raddb/modules/ntlm_auth. On the other hand, if you installed manually from source, the file might be on /usr/local/etc/raddb/modules/ntlm_auth -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + AD + Cisco authetication
Hi thank you for your email. So as I said before , I have working ntlm_auth in the form of: Linux#/usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=MYNAME --require-membership-of='DOMAIN+DOMAIN_GROUP' That works from the command line.It returns OK status So now, I have about 60 domains. Users are authenticated through VPN Cisco client with the domain\username and password. How should look like the ntlm_auth file ? How should look like mschap module ? How should look like parameter --require-membership-of in these files ? How should look like users file ? These answers I was not able to find in any documentation I'm using freeradius2-2.1.7-7.el5 ( RED HAT ) Thanks On Fri, Jul 2, 2010 at 6:43 PM, Jevos, Peter peter.je...@oriflame.com wrote: Actually I'm not really clever, because main tutorial on the main pages is connected with the older version , and there are more version of the Freradius 2.0, a bit different: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO http://deployingradius.com/documents/configuration/active_directory.html That page has updated tutorials for 2.x Can somebody please help me how to finish the freeradius configuration ( the NAS server will be cisco ) I know that there should be the entries in users file, eap file, mschap or ntlm_aut modules. But what should be the proper syntax I really don't know Which part did you find not clear from http://deployingradius.com/documents/configuration/active_directory.html? It clearly says which file(s) to edit/create. One note though, when it says Create a file raddb/modules/ntlm_auth, the actual location can vary on how you got freeradius installed. For example, with RHEL/Centos/Fedora and their bundled freradius2, the file location would be /etc/raddb/modules/ntlm_auth. On the other hand, if you installed manually from source, the file might be on /usr/local/etc/raddb/modules/ntlm_auth -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: How should look like the ntlm_auth file ? How should look like mschap module ? How should look like parameter --require-membership-of in these files ? How should look like users file ? These answers I was not able to find in any documentation Read the URLs from the previous message. This *is* documented. If you can't find it, read the documentation again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
realm mydomain.com {
auth_pool = active_directory
You'll need a line:
nostrip
To avoid EAP identity issues.
This worked, thanks. Preprocess doesn't strip the username in the default
server and EAP works.
Although, now a new problem arrised - I can't seem to get the (stripped)
username in the inner-tunnel with preprocess.
So the username stays in the form - u...@mydomain.com, but that isn't usable
for a LDAP search (on the AD).
(btw. if I test without the realm portion of the scenario, like AD is the only
source of authentication, it works)
i.e. it doesn't proxy it.
This *does* work in 2.1.9. So which version are you running?
I'm sorry, it was my mistake. I configured proxy_requests = no, because I
thought it was ment for a server when it was only proxying requests from other
sources (since this option opens a special proxy-ing listening port).
Fixed now, proxying to virtual server works.
And why are you creating this complicated configuration? The
inner-tunnel virtual server is set up *precisely* for this kind of
authentication. You do EAP in the default server. Then, the
inner-tunnel server gets the PAP password, and you can configure it to
look the user up in AD there.
Because there are realms involved in the scenario.
If the realm is mydomain.com then radius needs to lookup a user in AD.
If the realm is mydomain2.com then it needs to consult sql.
Otherwise it should proxy the request to a home server.
What would be a proper way to do this? I thought setting up a virtual server
for every scenario is the way to go?
TIA!
_
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
https://signup.live.com/signup.aspx?id=60969
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote:
I'm new to FreeRadius, so please bear with me. :)
Good questions are a very good start.
Goal: Make FreeRadius look-up a user in ActiveDirectory if he has
mydomain.com domain.
Used method: EAP/TTLS (PAP in the tunnel)
This is how I've done it, but it doesn't give the wanted results, so please
explain a bit. :)
(it doesn't seem to load the local_ad virtual server configuration, which is
I placed in the sites-enabled directory, it seems to just carry on executing
the default server)
If you read the start of the debug output, it *should* show it loading
the local_ad virtual server. The output below shows it not *proxying*
the request to the local_ad virtual server.
realm mydomain.com {
auth_pool = active_directory
You'll need a line:
nostrip
To avoid EAP identity issues.
...
rlm_realm: Preparing to proxy authentication request to realm
mydomain.com
++[suffix] returns updated
rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing
EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
There was no response configured: rejecting request 0
i.e. it doesn't proxy it.
This *does* work in 2.1.9. So which version are you running?
And why are you creating this complicated configuration? The
inner-tunnel virtual server is set up *precisely* for this kind of
authentication. You do EAP in the default server. Then, the
inner-tunnel server gets the PAP password, and you can configure it to
look the user up in AD there.
In fact, you should only need to do the following:
* start with the default config
* uncomment ldap everywhere in raddb/sites-enabled/inner-tunnel
* configure raddb/modules/ldap to point to AD
* ensure you have the correct certificates for TTLS
* TTLS + PAP *should* work
The default configuration is designed to work in the widest possible
set of circumstances, with a minimal set of changes required to add any
common functionality.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi,
I have taken 1.1.6 version.
why? oh dear why?!? 1.1.7 is the latest 1.1.x release and its
there for many many reasons. i dont grab Linux 0.9 kernel if
i want to run a Linux server.
I am not very clear on configuring the files.
First we are going to do dummy testing.
for very very basic testing you only need to edit 3 files
radiusd.conf - set the userid,groupid and listen directive
(and thats it! leave the rest alone!)
clients.conf - edit the 127.0.0.1 entry
eg
client 127.0.0.1 {
secret = the_secret_i_put_into_clients.conf
shortname = localhost
nastype = other
users - at the very top add a test user eg
my_Test_user_00x1 Cleartext-Password := bigf439qyft789
that should be it. you can then use, eg radtest, to check its alive.
so open 2 terminal windows... in one, type radiusd -X (to run freeradius
in full debugging) and in the other type
radtest my_Test_user_00x1 bigf439qyft789 localhost 1812
the_secret_i_put_into_clients.conf
Can we give a file name as the argument in the command line while using
radtest? If so How to use?
man radclient
radtest is a little more basic. its the 'basic freeradius 101' test tool
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
Whether the password given in Users file is a Encrypted password or
normal?
Whether the secret which I am configuring in clients.conf should be
configured anywhere else?
All these files should be configured in the path
/usr/local/etc/xxx.conf.
Is this right?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, August 31, 2007 1:49 PM
To: FreeRadius users mailing list
Subject: Re: freeradius + ad
Hi,
I have taken 1.1.6 version.
why? oh dear why?!? 1.1.7 is the latest 1.1.x release and its
there for many many reasons. i dont grab Linux 0.9 kernel if
i want to run a Linux server.
I am not very clear on configuring the files.
First we are going to do dummy testing.
for very very basic testing you only need to edit 3 files
radiusd.conf - set the userid,groupid and listen directive
(and thats it! leave the rest alone!)
clients.conf - edit the 127.0.0.1 entry
eg
client 127.0.0.1 {
secret = the_secret_i_put_into_clients.conf
shortname = localhost
nastype = other
users - at the very top add a test user eg
my_Test_user_00x1 Cleartext-Password := bigf439qyft789
that should be it. you can then use, eg radtest, to check its alive.
so open 2 terminal windows... in one, type radiusd -X (to run
freeradius
in full debugging) and in the other type
radtest my_Test_user_00x1 bigf439qyft789 localhost 1812
the_secret_i_put_into_clients.conf
Can we give a file name as the argument in the command line while
using
radtest? If so How to use?
man radclient
radtest is a little more basic. its the 'basic freeradius 101' test tool
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Disclaimer:
This message and the information contained herein is proprietary and
confidential and subject to the Tech Mahindra policy statement, you may review
the policy at a
href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a
externally and a
href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a
internally within Tech Mahindra.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
Whether the password given in Users file is a Encrypted password or normal? Clertext-Password is normal. Whether the secret which I am configuring in clients.conf should be configured anywhere else? On a client which is sending radius packets. With servers IP address. All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? Path is /usr/local/etc/raddb/ by default. Ivan Kalik Kalik Informatika iSP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
On a radius client device (switch, AP, router, server, ...) which is trying to authenticate the user. Ivan Kalik Kalik Informatika ISP Dana 31/8/2007, Pelluru Sujatha [EMAIL PROTECTED] piše: I did not get clearly where to configure the secret other than /usr/local/etc/raddb/clients.conf file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 31, 2007 2:39 PM To: FreeRadius users mailing list Subject: RE: freeradius + ad Whether the password given in Users file is a Encrypted password or normal? Clertext-Password is normal. Whether the secret which I am configuring in clients.conf should be configured anywhere else? On a client which is sending radius packets. With servers IP address. All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? Path is /usr/local/etc/raddb/ by default. Ivan Kalik Kalik Informatika iSP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi, Whether the password given in Users file is a Encrypted password or normal? your choice! Whether the secret which I am configuring in clients.conf should be configured anywhere else? yes - on the NAS itself. but if you're using radtest or radclient then that software is a virtual NAS so you use it with that tool. alan All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? heck! i dont know how you've configured your system mate! by default it would all be in /usr/local/etc/raddb if its installed via RPM or yum or yast or 'umwifolm' then it'll be where the package manager has decided it would be - /etc/raddb , /opt/freeradius/config/ , /usr/local/freeradius/etc/ etc etc alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi, I did not get clearly where to configure the secret other than /usr/local/etc/raddb/clients.conf file. unless (UNLESS) you are using some other NAS authentication method - eg sticking them into an SQL table for checking, clients.conf is the ONLY place where the NAS secret needs to be placed. that is the single place where freeradius reads to check the secrets for each NAS (or direct client talking to FR server - which are also known as NAS in that context) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: alan, do you already saw freeradius work with active directory?? do you have some example file? http://deployingradius.com/documents/configuration/active_directory.html BUT if you have ntlm_auth working from the command line, 99% of the work is done. Again, If ntlm_auth is telling the server that the MSCHAP authentication was invalid, then there isn't much that can be done to fix that. Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
alan, do you already saw freeradius work with active directory?? do you have some example file? tkx On 8/31/07, Alan DeKok [EMAIL PROTECTED] wrote: Alexsander wrote: yes, i took it from the site freeradius.org, version 1.1.7, is correct? Yes... the changes in 1.1.2 (or so) mean that the entire command line isn't being printed out. That should be fixed. In the mean time, ntlm_auth is telling the server that the MSCHAP authentication was invalid. There isn't much that can be done to fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
I did not get clearly where to configure the secret other than /usr/local/etc/raddb/clients.conf file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, August 31, 2007 2:39 PM To: FreeRadius users mailing list Subject: RE: freeradius + ad Whether the password given in Users file is a Encrypted password or normal? Clertext-Password is normal. Whether the secret which I am configuring in clients.conf should be configured anywhere else? On a client which is sending radius packets. With servers IP address. All these files should be configured in the path /usr/local/etc/xxx.conf. Is this right? Path is /usr/local/etc/raddb/ by default. Ivan Kalik Kalik Informatika iSP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius + ad
I have taken 1.1.6 version. I am not very clear on configuring the files. First we are going to do dummy testing. What are the changes to be done on client and server configurations? Can we give a file name as the argument in the command line while using radtest? If so How to use? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Friday, August 31, 2007 10:39 AM To: FreeRadius users mailing list Subject: Re: freeradius + ad Alexsander wrote: yes, i took it from the site freeradius.org, version 1.1.7, is correct? Yes... the changes in 1.1.2 (or so) mean that the entire command line isn't being printed out. That should be fixed. In the mean time, ntlm_auth is telling the server that the MSCHAP authentication was invalid. There isn't much that can be done to fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Disclaimer: This message and the information contained herein is proprietary and confidential and subject to the Tech Mahindra policy statement, you may review the policy at a href=http://www.techmahindra.com/Disclaimer.html;http://www.techmahindra.com/Disclaimer.html/a externally and a href=http://tim.techmahindra.com/Disclaimer.html;http://tim.techmahindra.com/Disclaimer.html/a internally within Tech Mahindra. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
yes, i took it from the site freeradius.org, version 1.1.7, is correct?
On 8/30/07, Alan DeKok [EMAIL PROTECTED] wrote:
Alexsander wrote:
1 - but freeradius don't prints out any message using ntlm_auth
(except this one: mschap: ntlm_auth =
/usr/bin/ntlm_auth...%{ntdomain} ...)
Are you sure you're running a recent version? It SHOULD be printing
out the entire ntlm_auth command.
2 - the windows machine already on the network and logged on (with my
username), i'm just swap swtch port that this machine is connected -
swapping between port 15 (without authentication) and port 16 (with
authentication) - and keep a ping -t 10.134.64.1 on screen to see when
connection is lost when I do
Then I suspect that the ntlm_auth command you've configured is wrong,
or isn't being used.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Alexsander A. Rodrigues
Se você tivesse que identificar, em uma palavra, a razão pela qual a
raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial,
essa palavra seria REUNIÕES.
L.F.V.
http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: yes, i took it from the site freeradius.org, version 1.1.7, is correct? Yes... the changes in 1.1.2 (or so) mean that the entire command line isn't being printed out. That should be fixed. In the mean time, ntlm_auth is telling the server that the MSCHAP authentication was invalid. There isn't much that can be done to fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: how can I could know what kind of error it is? What part of the error message is unclear? AD account is ok (I'm using that) the password works fine when I run ntlm_auth command manually: ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: (Success) Which is completely different than what is output in debugging mode, isn't it? Try taking the ntlm_auth command line that FreeRADIUS prints out in debugging mode, and running it from the CLI. It won't work. The user entered a wrong password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
1 - but freeradius don't prints out any message using ntlm_auth
(except this one: mschap: ntlm_auth =
/usr/bin/ntlm_auth...%{ntdomain} ...)
2 - the windows machine already on the network and logged on (with my
username), i'm just swap swtch port that this machine is connected -
swapping between port 15 (without authentication) and port 16 (with
authentication) - and keep a ping -t 10.134.64.1 on screen to see when
connection is lost when I do
tkx
On 8/29/07, Alan DeKok [EMAIL PROTECTED] wrote:
Alexsander wrote:
how can I could know what kind of error it is?
What part of the error message is unclear?
AD account is ok (I'm using that)
the password works fine when I run ntlm_auth command manually:
ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9
password:
(Success)
Which is completely different than what is output in debugging mode,
isn't it?
Try taking the ntlm_auth command line that FreeRADIUS prints out in
debugging mode, and running it from the CLI. It won't work.
The user entered a wrong password.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Alexsander A. Rodrigues
Se você tivesse que identificar, em uma palavra, a razão pela qual a
raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial,
essa palavra seria REUNIÕES.
L.F.V.
http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote:
1 - but freeradius don't prints out any message using ntlm_auth
(except this one: mschap: ntlm_auth =
/usr/bin/ntlm_auth...%{ntdomain} ...)
Are you sure you're running a recent version? It SHOULD be printing
out the entire ntlm_auth command.
2 - the windows machine already on the network and logged on (with my
username), i'm just swap swtch port that this machine is connected -
swapping between port 15 (without authentication) and port 16 (with
authentication) - and keep a ping -t 10.134.64.1 on screen to see when
connection is lost when I do
Then I suspect that the ntlm_auth command you've configured is wrong,
or isn't being used.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi Alan, how can I could know what kind of error it is? AD account is ok (I'm using that) the password works fine when I run ntlm_auth command manually: ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: (Success) On 8/24/07, Alan DeKok [EMAIL PROTECTED] wrote: Alexsander wrote: Hi Alan, this is complete log captured using: ... radius_xlat: '--nt-response=b5064e14567ab057f0757ee512947c1a900138564585ef02' Exec-Program output: Logon failure (0xc06d) Yes, there's a lot of output in debugging mode. Read it. You're running ntlm_auth, and it's returning login failure. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: Hi Alan, this is complete log captured using: ... radius_xlat: '--nt-response=b5064e14567ab057f0757ee512947c1a900138564585ef02' Exec-Program output: Logon failure (0xc06d) Yes, there's a lot of output in debugging mode. Read it. You're running ntlm_auth, and it's returning login failure. Fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
hi joe, see this: s8860ru01:/etc# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 07:35:26, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/etc# isn't means that ntlm_auth is working? On 8/16/07, Joe Vieira [EMAIL PROTECTED] wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. those are prolly the lines of interest, your ntlm_auth is failing. try it via the command line, once you get it working via the command line you'll have a MUCH better chance of it working in freeradius. hints are kinit - get that working also get wbinfo -u listing your domain users Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Hi, hi joe, see this: s8860ru01:/etc# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 07:35:26, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/etc# isn't means that ntlm_auth is working? yes - when used with those commands. On 8/16/07, Joe Vieira [EMAIL PROTECTED] wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. this shows a login failure with ntlm_auth. check out the debug to see why. it could be that the username or domain is being passed incorrectly alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
tks alan! there is some way to force log show me what parameter it has passing to ntlm_auth bin? On 8/17/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, hi joe, see this: s8860ru01:/etc# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 07:35:26, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/etc# isn't means that ntlm_auth is working? yes - when used with those commands. On 8/16/07, Joe Vieira [EMAIL PROTECTED] wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. this shows a login failure with ntlm_auth. check out the debug to see why. it could be that the username or domain is being passed incorrectly alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
hi alan, when I captured log I was using radiusd -X -A -y -z output.log another thing: I capture some pieces of output log: radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: '--domain=REFAP' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=dadfh9' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: c6 radius_xlat: '--challenge=8fd10da49268b4b6' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=aed525bc59e35522e8cf9fff11c533d9c5c866d6eb0f47c1' and did another test: s8860ru01:/tmp# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 --challenge=8fd10da49268b4b6 --nt-response=aed525bc59e35522e8cf9fff11c533d9c5c866d6eb0f47c1 Logon failure (0xc06d) -logon error again s8860ru01:/tmp# s8860ru01:/tmp# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 14:47:06, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/tmp# it's like wrong response or challenge ou some kind of hash. ps.: on output.log I saw this lines: mschap: with_ntdomain_hack = yes mschapv2: with_ntdomain_hack = no - this must be yes or not? preprocess: with_ntdomain_hack = no On 8/17/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: hi, last time i checked i'm sure its printed in full debug mode : radiusd -X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
hi alan, enabling log_goodpass and log_badpass I took this lines: rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: leaving group authenticate (returns reject) for request 6 auth: Failed to validate the user. Login incorrect (rlm_mschap: Logon failure (0xc06d)): [REFAP\\dadfh9/no User-Password attribute] (from client localhost port 0) this means that ntlm_auth isn't receiving password parameter?? On 8/17/07, Alexsander [EMAIL PROTECTED] wrote: hi alan, when I captured log I was using radiusd -X -A -y -z output.log another thing: I capture some pieces of output log: radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: '--domain=REFAP' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=dadfh9' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: c6 radius_xlat: '--challenge=8fd10da49268b4b6' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=aed525bc59e35522e8cf9fff11c533d9c5c866d6eb0f47c1' and did another test: s8860ru01:/tmp# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 --challenge=8fd10da49268b4b6 --nt-response=aed525bc59e35522e8cf9fff11c533d9c5c866d6eb0f47c1 Logon failure (0xc06d) -logon error again s8860ru01:/tmp# s8860ru01:/tmp# /usr/bin/ntlm_auth --request-nt-key --domain=REFAP --username=dadfh9 password: [2007/08/17 14:47:06, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory NT_STATUS_OK: Success (0x0) s8860ru01:/tmp# it's like wrong response or challenge ou some kind of hash. ps.: on output.log I saw this lines: mschap: with_ntdomain_hack = yes mschapv2: with_ntdomain_hack = no - this must be yes or not? preprocess: with_ntdomain_hack = no On 8/17/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: hi, last time i checked i'm sure its printed in full debug mode : radiusd -X alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 -- Alexsander A. Rodrigues Se você tivesse que identificar, em uma palavra, a razão pela qual a raça humana ainda não atingiu (e nunca atingirá) todo o seu potencial, essa palavra seria REUNIÕES. L.F.V. http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=413267 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Alexsander wrote: hi alan, enabling log_goodpass and log_badpass I took this lines: rlm_mschap: External script failed. And right before that in the log it shows you WHAT script it's running, and WHY it failed. If you want to solve the problem, don't delete every piece of useful information from the logs you post to the list. The debug output shows you the ntlm_auth command that the server is running. Since it works when you run it from the command line, the obvious next step is to _compare_ the two. Then, if there are differences, make the BROKEN one more like the WORKING one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + ad
Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. those are prolly the lines of interest, your ntlm_auth is failing. try it via the command line, once you get it working via the command line you'll have a MUCH better chance of it working in freeradius. hints are kinit - get that working also get wbinfo -u listing your domain users Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
Hello All, Could some one please tell me why ntlm_auth resurning OK with out looking up the ADS . I couldnt understand the debug. On 5/1/07, shrikant Bhat [EMAIL PROTECTED] wrote: Alan, My intention is not argue, since I coudnt understand the debug I posted the messege. On 4/30/07, Alan DeKok [EMAIL PROTECTED] wrote: shrikant Bhat wrote: I dont have the user in Active directory, yet free radius sends a accept packet. I did read the debug output, unlike you. It shows why. I told you why. Stop arguing and read the debug output again, and my responses. It's not FreeRADIUS. You have configured FreeRADIUS to reply with an Access-Accept if the ntlm_auth module returns OK. For some reason, the ntlm_auth is returning OK. Go find out why that's happening, and fix it. Do NOT reply with but freeradius sends an access accept. That reply indicates that you're not reading the messages here. If you're not going to read the answers to your questions, I suggest you stop asking the questions. You're wasting your time, and ours. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: Hello All, Could some one please tell me why ntlm_auth resurning OK with out looking up the ADS . Ask the people who wrote ntlm_auth? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
Sorry I forgot to attach the radiusd.conf and debug results
***
..
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
#
# The logging messages for the server are appended to the
# tail of this file.
#
log_file = ${logdir}/radius.log
libdir = /usr/local/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
#
max_requests = 1024
#
bind_address = *
#
port = 0
#
hostname_lookups = no
#
allow_core_dumps = no
# Regular expressions
#
regular_expressions = yes
extended_expressions= yes
# Log the full User-Name attribute, as it was found in the request.
#
log_stripped_names = no
# Log authentication requests to the log file.
#
# allowed values: {no, yes}
#
log_auth = no
# Log passwords with the authentication requests.
# log_auth_badpass - logs password if it's rejected
# log_auth_goodpass - logs password if it's correct
#
# allowed values: {no, yes}
#
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
#
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
#
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
$INCLUDE ${confdir}/clients.conf
# SNMP CONFIGURATION
snmp= no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
#
min_spare_servers = 3
max_spare_servers = 10
# There may be memory leaks or resource allocation problems with
max_requests_per_server = 0
}
# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
exec ntlm_auth {
wait = no
program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN.ORG --username=%{mschap:User-Name}
--password=%{User-Password}
}
#
pap {
encryption_scheme = crypt
}
chap {
authtype = CHAP
}
$INCLUDE ${confdir}/eap.conf
mschap {
#
authtype = MS-CHAP
# ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{mschap:NT-Domain:-MYDOMAIN.ORG}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
checkval {
# The attribute to look for in the request
item-name = Calling-Station-Id
# The attribute to look for in check items. Can be multi valued
check-name = Calling-Station-Id
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = string
# If set to yes and we dont find the item-name attribute in the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = yes
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = no
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
expr {
}
exec {
Re: FreeRadius+AD integration
It must be you. so your are the right person to tell me what is causing ntlm_auth to send OK. SB On 5/2/07, Alan DeKok [EMAIL PROTECTED] wrote: shrikant Bhat wrote: Hello All, Could some one please tell me why ntlm_auth resurning OK with out looking up the ADS . Ask the people who wrote ntlm_auth? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: It must be you. so your are the right person to tell me what is causing ntlm_auth to send OK. Umm... no. 10 seconds of reading documentation would lead you to conclude that ntlm_auth is part of the Samba project. I am not part of the Samba project. Start reading documentation. Stop asking questions on this list about ntlm_auth. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius+AD integration
Why not try this? Worked for us. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Note that the first thing configured is the Samba server. It doesn't even mention installing the Freeradius server until after the Samba configuration is completed. Hi, It must be you. so your are the right person to tell me what is causing ntlm_auth to send OK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
The deploying freeradius + AD is an excellent guide for the ntlm_auth method. Im guessing it is because your ntlm_auth command is commented out in the mschap part On 5/2/07, Danner, Mearl [EMAIL PROTECTED] wrote: Why not try this? Worked for us. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Note that the first thing configured is the Samba server. It doesn't even mention installing the Freeradius server until after the Samba configuration is completed. Hi, It must be you. so your are the right person to tell me what is causing ntlm_auth to send OK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
Alan, My intention is not argue, since I coudnt understand the debug I posted the messege. On 4/30/07, Alan DeKok [EMAIL PROTECTED] wrote: shrikant Bhat wrote: I dont have the user in Active directory, yet free radius sends a accept packet. I did read the debug output, unlike you. It shows why. I told you why. Stop arguing and read the debug output again, and my responses. It's not FreeRADIUS. You have configured FreeRADIUS to reply with an Access-Accept if the ntlm_auth module returns OK. For some reason, the ntlm_auth is returning OK. Go find out why that's happening, and fix it. Do NOT reply with but freeradius sends an access accept. That reply indicates that you're not reading the messages here. If you're not going to read the answers to your questions, I suggest you stop asking the questions. You're wasting your time, and ours. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
Hi, Any one who can help me with this ? thanks in advance SB On 4/27/07, shrikant Bhat [EMAIL PROTECTED] wrote: On Line 154 I have default Auth-Type = ntlm_auth. If I comment this out I get the Access-reject packet. thanks, SB On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Well, it matched something in the users file: users: Matched entry DEFAULT at line 154 Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . thanks for the help. * rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 154 modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 modcall: leaving group authenticate (returns ok) for request 3 Sending Access-Accept of id 100 to 127.0.0.1 port 32779 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 100 with timestamp 4631d1f0 Nothing to do. Sleeping until we see a request. On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Error seems to be because shared secret is testing123 not testing 123. But you need to paste output od radiusd-X after Access-Request. Open two ssh sessions and do radtest from one and radiusd -X from the other. Ivan Kalik Kalik Informatika ISP Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: I get this error [EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123 Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20 rad_verify: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log
Re: FreeRadius+AD integration
shrikant Bhat wrote: ... Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . Have you read the debug output? ... radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 What part of that is unclear? You think the user isn't in Active Directory. Yet ntlm_auth is returning that the user is in AD. Either the user is in AD, or ntlm_auth is doing something magical. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
I dont have the user in Active directory, yet free radius sends a accept packet. thanks On 4/30/07, Alan DeKok [EMAIL PROTECTED] wrote: shrikant Bhat wrote: ... Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . Have you read the debug output? ... radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 What part of that is unclear? You think the user isn't in Active Directory. Yet ntlm_auth is returning that the user is in AD. Either the user is in AD, or ntlm_auth is doing something magical. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: I dont have the user in Active directory, yet free radius sends a accept packet. I did read the debug output, unlike you. It shows why. I told you why. Stop arguing and read the debug output again, and my responses. It's not FreeRADIUS. You have configured FreeRADIUS to reply with an Access-Accept if the ntlm_auth module returns OK. For some reason, the ntlm_auth is returning OK. Go find out why that's happening, and fix it. Do NOT reply with but freeradius sends an access accept. That reply indicates that you're not reading the messages here. If you're not going to read the answers to your questions, I suggest you stop asking the questions. You're wasting your time, and ours. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
Hello Alan,
I have built and installed 1.1.6 version of FreeRadius. When I test
using radtest it authenticates any user with any pasword, what I mean
by this is it doesnt seem to contact the ADS to lookup the user
information and authenticate. I have attached the debug
*
[EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded exec
exec: wait = no
exec: program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN.COM --username=%{mschap:User-Name}
--password=%{User-Password}
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
Module: Instantiated exec (ntlm_auth)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = cistron
[/etc/raddb/users]:1 Cistron compatibility checks for entry raduser ...
[/etc/raddb/users]:153 Cistron compatibility checks for entry DEFAULT ...
?Changing 'Auth-Type =' to 'Auth-Type +='
[/etc/raddb/users]:172 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/users]:184 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/users]:191 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/users]:198 Cistron compatibility checks for entry DEFAULT ...
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp:
Re: FreeRadius+AD integration
And what happens when you get Access-Request?
Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše:
Hello Alan,
I have built and installed 1.1.6 version of FreeRadius. When I test
using radtest it authenticates any user with any pasword, what I mean
by this is it doesnt seem to contact the ADS to lookup the user
information and authenticate. I have attached the debug
*
[EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded exec
exec: wait = no
exec: program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN.COM --username=%{mschap:User-Name}
--password=%{User-Password}
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
Module: Instantiated exec (ntlm_auth)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = cistron
[/etc/raddb/users]:1 Cistron compatibility checks for entry raduser ...
[/etc/raddb/users]:153 Cistron compatibility checks for entry DEFAULT ...
?Changing 'Auth-Type =' to 'Auth-Type +='
[/etc/raddb/users]:172 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/users]:184 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/users]:191 Cistron compatibility checks for entry DEFAULT ...
[/etc/raddb/users]:198 Cistron compatibility checks for entry DEFAULT ...
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username =
Re: FreeRadius+AD integration
Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . thanks for the help. * rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 154 modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 modcall: leaving group authenticate (returns ok) for request 3 Sending Access-Accept of id 100 to 127.0.0.1 port 32779 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 100 with timestamp 4631d1f0 Nothing to do. Sleeping until we see a request. On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Error seems to be because shared secret is testing123 not testing 123. But you need to paste output od radiusd-X after Access-Request. Open two ssh sessions and do radtest from one and radiusd -X from the other. Ivan Kalik Kalik Informatika ISP Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: I get this error [EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123 Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20 rad_verify: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon.
Re: FreeRadius+AD integration
On Line 154 I have default Auth-Type = ntlm_auth. If I comment this out I get the Access-reject packet. thanks, SB On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Well, it matched something in the users file: users: Matched entry DEFAULT at line 154 Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . thanks for the help. * rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 154 modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 modcall: leaving group authenticate (returns ok) for request 3 Sending Access-Accept of id 100 to 127.0.0.1 port 32779 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 100 with timestamp 4631d1f0 Nothing to do. Sleeping until we see a request. On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Error seems to be because shared secret is testing123 not testing 123. But you need to paste output od radiusd-X after Access-Request. Open two ssh sessions and do radtest from one and radiusd -X from the other. Ivan Kalik Kalik Informatika ISP Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: I get this error [EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123 Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20 rad_verify: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user
Re: FreeRadius+AD integration
Well, it matched something in the users file: users: Matched entry DEFAULT at line 154 Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] piše: Yes I figured that. thanks for that. But the issues is the user I am trying to authenticate is not listed in users file or in AD, so I dont understand how is it authenticating this user. I have attached debug . thanks for the help. * rad_recv: Access-Request packet from host 127.0.0.1:32779, id=100, length=59 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module preprocess returns ok for request 3 modcall[authorize]: module chap returns noop for request 3 modcall[authorize]: module mschap returns noop for request 3 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 3 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 3 users: Matched entry DEFAULT at line 154 modcall[authorize]: module files returns ok for request 3 modcall: leaving group authorize (returns ok) for request 3 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=raduser' radius_xlat: '--password=radpass' modcall[authenticate]: module ntlm_auth returns ok for request 3 modcall: leaving group authenticate (returns ok) for request 3 Sending Access-Accept of id 100 to 127.0.0.1 port 32779 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 100 with timestamp 4631d1f0 Nothing to do. Sleeping until we see a request. On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Error seems to be because shared secret is testing123 not testing 123. But you need to paste output od radiusd-X after Access-Request. Open two ssh sessions and do radtest from one and radiusd -X from the other. Ivan Kalik Kalik Informatika ISP Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pie: I get this error [EMAIL PROTECTED] ~]# radtest raduser radpass localhost 0 testing 123 Sending Access-Request of id 47 to 127.0.0.1 port 1812 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=47, length=20 rad_verify: Received Access-Accept packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) On 4/27/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: And what happens when you get Access-Request? Dana 27/4/2007, shrikant Bhat [EMAIL PROTECTED] pi e: Hello Alan, I have built and installed 1.1.6 version of FreeRadius. When I test using radtest it authenticates any user with any pasword, what I mean by this is it doesnt seem to contact the ADS to lookup the user information and authenticate. I have attached the debug * [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0
Re: FreeRadius+AD integration
Hi, radius.conf as per the instructions, but radtest fails with Access-Reject .I have attached the debug window output for reference. no you havent. you've attached a tiny snippet of the debug output. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user but at least it shows this bit - how are you attempting to authenticate and WHAT are you attempting to authenticate? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: Hi, I am trying to integrate freeradius with ADS 2003. I reffred to http://deployingradius.com/documents/configuration/active_directory.html http://deployingradius.com/documents/configuration/active_directory.html. everything works perfectly fine till ( $ ntlm_auth --request-nt-key --domain=*MYDOMAIN* --username=*user* --password=*password*) I get NT_STATUS_OK. I dont see NT_KEY output. I made changes to exec module in radius.conf as per the instructions, but radtest fails with Access-Reject .I have attached the debug window output for reference. You did not add the ntlm_auth entry to the authenticate section, as the web page says. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
I tried with the following in the authenticate section
Auth-Type ntlm_auth {
mschap am not sure about the
protocol i need to use here
}
I have attached the debug window output
**
rad_recv: Access-Request packet from host 127.0.0.1:32928, id=202, length=57
User-Name = raduser
User-Password = radpass
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = raduser, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 214
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type ntlm_auth
auth: type ntlm_auth
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: No MS-CHAP-Challenge in the request
modcall[authenticate]: module mschap returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
***
All I want to do is authenticate my cisco device logins using ads id
and password.
I am novice to radius,please help.
thank you
regards
sb
On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote:
shrikant Bhat wrote:
Hi,
I am trying to integrate freeradius with ADS 2003. I reffred to
http://deployingradius.com/documents/configuration/active_directory.html
http://deployingradius.com/documents/configuration/active_directory.html.
everything works perfectly fine till ( $ ntlm_auth --request-nt-key
--domain=*MYDOMAIN* --username=*user* --password=*password*) I get
NT_STATUS_OK. I dont see NT_KEY output. I made changes to exec module
in radius.conf as per the instructions, but radtest fails with
Access-Reject .I have attached the debug window output for reference.
You did not add the ntlm_auth entry to the authenticate section,
as the web page says.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote:
I tried with the following in the authenticate section
Auth-Type ntlm_auth {
mschap am not sure about the
protocol i need to use here
The web page says to just put ntlm_auth in the authenticate
section. It doesn't say you need Auth-Type, and it doesn't say to put
mschap in it, either.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
My apologies for that mistake..
I have the following lines in modules section
exec ntlm_auth {
wait = no
program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN.COM
--username=%{mschap:User-Name} --password=%{User-Password}
and I have ntlm_auth listed in authenticate section while running radiusd -X
I get the following error.
*
[EMAIL PROTECTED] raddb]# /usr/sbin/radiusd -X -y
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
exec: wait = no
exec: program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN.COM --username=%{mschap:User-Name}
--password=%{User-Password}
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
Module: Instantiated exec (ntlm_auth)
radiusd.conf[1685] Unknown Auth-Type exec in authenticate section.
***
thanks for the help in advance.
SB
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote:
My apologies for that mistake..
I have the following lines in modules section
exec ntlm_auth {
wait = no
program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN.COM
--username=%{mschap:User-Name} --password=%{User-Password}
and I have ntlm_auth listed in authenticate section
No, you don't. You listed exec, not ntlm_auth.
Please follow the instructions. If you are not going to follow the
instructions, then do not be surprised that it doesn't work.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD/LDAP + basedn
On Thu, 7 Oct 2004, Michael Benton wrote:
Hello,
FreeRadius 1.0.1
Linux RHES3.1
Does anyone know how to configure the FreeRadius server to to a LDAP query on a
Win2003 AD server, and to look at the whole AD tree
?
We have for some unknown reason, multiple OU's with users in each, rather than one
OU in which all users are configured.
If I set the basedn to a particular OU - i can authenticate users OK, but when I set
it back to the top level dc=ukcl,dc=net the
auth fail with user unknown ?
I have used a LDAP browser to do a search from the same basedn=dc=ukcl,dc=net,
with the subtree option active, and it finds the
users OK. How do you specify the subtree option in the radiusd.conf file ? do if
have to include ou=* as below ?
Any hints would be greatly appreciated.
ldap {
server = hqdc1.ukcl.net
identity = cn=freeradius,ou=Administrators,dc=ukcl,dc=net
password = pExF%5Yf
basedn = dc=ukcl,dc=net
filter = ((ou=*)(objectClass=person)(samaccountname=%{User-Name}))
.
}
I do not have OpenLDAP installed on my linux box. Do i need this installed ? even
though i am directing queries to the Win2003
server directly ?
Take a look at Global Catalog, see the list archives for details.
Thanks
Michael Benton
E-mail scanned for all viruses by Star Internet, powered by MessageLabs
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS+AD help
On 6/15/04 7:18 PM, Veerabhushan Hatte at [EMAIL PROTECTED] wrote:
I was going through the mail responses and I am facing some problem for the
same configuration. I have few questions and your help is greatly appreciated.
1. Do I need enable pam authentication to use LDAP?
I don't think so. We do not have PAM active on our instance of radiusd.
2. If I need to use pam, do I need to install OpenLDAP to run LDAP on
freeRADIUS?
I think you may need openLDAP installed when you compile radiusd. We run
radiusd on OSX so we already had LDAP installed. I think I saw your
original email that you were having trouble starting radiusd and one user
suggested that you needed openLDAP prior to compilation. If it does in fact
now start, you can use the follwing edits to adjust you configs. Our works
like a charm now.
One pitfall we had is that when the user is looked up in AD, the cn= LDAP
property looks at AD's Display Name. This means that if Michael Check is
logging in as [EMAIL PROTECTED], the Display Name in AD must also be the same
as the account name (user name). The default in AD is to set cn as 'Michael
Check'. You need to change it to 'mcheck'.
The same goes for the account that radiusd uses to look up the information
in the AD. In our case ldapuser and radiusserver.
We still haven't figured out if there is an LDAP property that maps the
username to AD's account (user) name. If you or others know of it, I'd like
to know.
If you could send me the configuration file for LDAP configuration, it would
be really helpful.
The following setup allows users to be authenticated off 2 diff AD LDAP
servers depending on the domain (realm). Users without a domain are
athenticated off the first AD LDAP server.
The requests come from a ras and a vpn concentrator on the foo1 network to
radiusd which is also on the foo1 network.
We use the AD property access_attr=msNPAllowDialin to determine whether
the user can log in. This is the boolean in AD whether to allow VPN/Dial-in
under the account properties.
clients.conf
#
client 192.168.2.28 {
secret= secretpass
shortname= vpn.foo1.com
nastype= cisco
}
client 192.168.2.29 {
secret= secretpass
shortname= ras.foo1.com
nastype= patton
}
#
proxy.conf
realm foo1.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm foo2.com {
type= radius
authhost= LOCAL
accthost= LOCAL
}
users
#
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
#DEFAULTAuth-Type := system
#Fall-Through = 1
#
# Setup all accounts to be checked against the MAI-LDAP module
# This is for users that do not specify a realm (ie. @foo.com)
#
DEFAULTAutz-Type := FOO1
Auth-Type := FOO1,
Fall-Through = 1
DEFAULT Realm == NULL, Autz-Type := FOO1, Auth-Type := FOO1
DEFAULT Realm == foo1.com, Autz-Type := FOO1, Auth-Type := FOO1
DEFAULTRealm == foo2.com, Autz-Type := FOO2, Auth-Type := FOO2
radiusd.conf
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap FOO1 {
server = 192.168.2.5
identity = cn=ldapuser,cn=users,dc=foo1,dc=com
password = foopass
basedn = cn=users,dc=foo1,dc=com
filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}})
access_attr=msNPAllowDialin
password_attribute=userPassword
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
start_tls = no
# set this to 'yes' to use TLS encrypted connections to the
# LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
# the ldap library.
tls_mode = no
# default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA
# profile_attribute = radiusProfileDn
#access_attr = dialupAccess
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = {clear}
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
#
