Re: AD, Groups, and LDAP (was Re: separating Users?)
freerad...@corwyn.net wrote: no it does not. FYI I believe 1813 is actually TCP (empirically working through my firewalls that way). 1813 is RADIUS accounting. It's currently over UDP. RADIUS over TCP is coming, too. 1814 only necessary if you're using proxy I think. 1814, *and* any other randomly assigned port when the proxy opens a new socket. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD, Groups, and LDAP (was Re: separating Users?)
freerad...@corwyn.net wrote: Having just followed all of those instructions to build out my production systems, I have a few tweaks to fix all those little things that drive one insane when following someone's instructions because they never tested them. Thanks. Here's a short review. Note that the configuring of SAMBA, kerberos, and adding to the domain should already be done as part of the default Linux install, see h:\is\operating system\Linux\Guide_linux.doc This file is... ? Verify that a user in the domain can be authenticated: wbinfo -a user%password Try the same login with the ntlm_auth program, which is what FreeRADIUS will be using: ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password /etc/raddb/radiusd.conf (see Appendix C) Update max_requests to # users * 256 That isn't necessary. It should be no more than max request/s * max_request_time. Add to the end of the auth listen {..} (to permit groups of clients) clients = disambiguate Add to the end of the acct listen {..} (to permit groups of clients) clients = disambiguate I don't understand why this is necessary. All it does is put the clients into a sub-section. There's no additional value or capabilities in doing this. Since we're not using any of these methods for the Ciscos, in authenticate{..} disable: chap, mschap, suffix, ntdomain, unix, pap Add to the end of the authorize{..} section: ntlm_auth Or to the end of the authenticate section? Note: The secret needs to match the secret set on the respective client. Change the secret to an actual secret clients disambiguate { Again, there's no reason for this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD, Groups, and LDAP (was Re: separating Users?)
At 04:33 AM 12/4/2009, Alan DeKok wrote: freerad...@corwyn.net wrote: Note that the configuring of SAMBA, kerberos, and adding to the domain should already be done as part of the default Linux install, see h:\is\operating system\Linux\Guide_linux.doc This file is... ? Heh, part of our internal documentation structure. As long as I'm copy/pasting this from that, it's likely to stay in there. Update max_requests to # users * 256 That isn't necessary. It should be no more than max request/s * max_request_time. Well the docs say: # max_requests: The maximum number of requests which the server keeps # track of. This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. so I was just doing what this said. Add to the end of the acct listen {..} (to permit groups of clients) clients = disambiguate I don't understand why this is necessary. All it does is put the clients into a sub-section. There's no additional value or capabilities in doing this. I probably picked this up from one of the random docs while trying to puzzle things out that weren't clear. Since it helps show how to use a subsection, it's useful to me. Since we're not using any of these methods for the Ciscos, in authenticate{..} disable: chap, mschap, suffix, ntdomain, unix, pap Add to the end of the authorize{..} section: ntlm_auth Or to the end of the authenticate section? d'oh! good catch (it's right in the appendix at least) Thanks! Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD, Groups, and LDAP (was Re: separating Users?)
freerad...@corwyn.net wrote: Update max_requests to # users * 256 That isn't necessary. It should be no more than max request/s * max_request_time. Well the docs say: # max_requests: The maximum number of requests which the server keeps # track of. This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. so I was just doing what this said. No. users are not clients. Users are people logging in. RADIUS clients are NAS machines. I probably picked this up from one of the random docs while trying to puzzle things out that weren't clear. Since it helps show how to use a subsection, it's useful to me. The problem for a *public* document is that unnecessary pieces confuse people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD, Groups, and LDAP (was Re: separating Users?)
At 11:00 AM 12/4/2009, Alan DeKok wrote: freerad...@corwyn.net wrote: Update max_requests to # users * 256 That isn't necessary. It should be no more than max request/s * max_request_time. Well the docs say: # max_requests: The maximum number of requests which the server keeps # track of. This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. No. users are not clients. Users are people logging in. RADIUS clients are NAS machines. Ah! cool, thx. Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD, Groups, and LDAP (was Re: separating Users?)
Having just followed all of those instructions to build out my production systems, I have a few tweaks to fix all those little things that drive one insane when following someone's instructions because they never tested them. Using FreeRADIUS2 Rick Steeves 091203 freeradi...@corwyn.net Setup, configuration, troubleshooting instructions, on CentOS 5.x Goals: o Authentication telnet sessions for Cisco switches against AD for a specific security group (Infrastructure) o Authentication for VPN users using MSCHAP on a sonicwall firewall using a Windows VPN client with L2TP against AD for a specific security group (VPN_Users) Install The linux site for the rpm download of freeradius2 is: http://people.redhat.com/jdennis/freeradius-rhel-centos Create /etc/yum.repos.d/freeradius2.repo: [freeradius2] name=Freeradius2 baseurl=http://people.redhat.com/jdennis/freeradius-rhel-centos enabled=1 gpgcheck=0 Install freeradius2: yum clean all yum install freeradius2 freeradius2-utils freeradius2-ldap Enable FreeRadius to start on boot: chkconfig radiusd on To start the freeRadius service service radiusd start To run the service in debug mode (which you should be doing until everything works): service radiusd stop radiusd X Quirks If you get an error from the output of radiusd X along the lines of: Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) then the issue is that radiusd doesn't have access to the winbindd_privileged folder. You can fix with: chgrp radiusd /var/cache/samba/winbindd_privileged chmod g+rw /var/cache/samba/winbindd_privileged Configuration See http://deployingradius.com/documents/configuration/active_directory.html Note that the configuring of SAMBA, kerberos, and adding to the domain should already be done as part of the default Linux install, see h:\is\operating system\Linux\Guide_linux.doc Verify that a user in the domain can be authenticated: wbinfo -a user%password Try the same login with the ntlm_auth program, which is what FreeRADIUS will be using: ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password /etc/raddb/radiusd.conf (see Appendix C) Update max_requests to # users * 256 Add to the end of the auth listen {..} (to permit groups of clients) clients = disambiguate Add to the end of the acct listen {..} (to permit groups of clients) clients = disambiguate Add to the end of the modules{..} section: (to enable ntlm_auth as an authentication method) exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=example.com -username=%{mschap:User-Name} --password=%{User-Password} } In log{..} auth = yes (to log authentication requests) /etc/raddb/huntgroups huntgroups let you restrict which clients are associated with which user. You will need to add each IP of each device that will be using the RADIUS server, and associate it with the correct huntgroup. This will let the /etc/raddb/users file associate the user with the appropriate device: /etc/radbb/huntgroups: Cisco_Huntgroup NAS-IP-Address == 10.100.0.1 Cisco_Huntgroup NAS-IP-Address == 10.100.0.2 Cisco_Huntgroup NAS-IP-Address == 10.100.0.3 VPN_Huntgroup NAS-IP-Address == 10.4.1.2 /etc/raddb/modules/ldap If this file is missing, you need to install the RPM for freeradius2-ldap. This section is one of the biggest pains to configure, as all of your LDAP strings need to be 100% correct, andt hey will be very specific to the environment. Of course, update server, identify, password, basedn for your own environment. You will need a user account in AD to permit the bind to LDAP. In this example, that account is in: CN=_useraccount,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com In this example, the Security groups are located in (or below): OU=Enterprise,DC=example,DC=com ldap { server = example.com identity = CN=_useraccount,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com password = secretpassword basedn = OU=Enterprise,DC=example,DC=com filter = ((sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) groupmembership_attribute = memberOf ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) } Configuration of different virtual sites For this you'll have 3 general sites, default (used mostly for
Re: AD, Groups, and LDAP (was Re: separating Users?)
Hi, Install freeradius2: yum clean all yum install freeradius2 freeradius2-utils freeradius2-ldap note, there are other packages should you need eg SQL support Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) then the issue is that radiusd doesn't have access to the winbindd_privileged folder. You can fix with: chgrp radiusd /var/cache/samba/winbindd_privileged chmod g+rw /var/cache/samba/winbindd_privileged ..and we very very aware that if you install a SAMBA update (eg theres an update released) then the post-install of the SAMBA will reblat those permissions! :-( you didnt note if you were SELinux enabled and any issues that might befall that - I'm also not sure but does the freeradiusd2 package automatically put the right firewall holes into place too (if not you'd need to add UDP 1812,1813 and 1814 to the incoming rule chain) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD, Groups, and LDAP (was Re: separating Users?)
At 05:27 PM 12/3/2009, Alan Buxey wrote: note, there are other packages should you need eg SQL support Not if you're not using SQL support (which I'm not). You'd them also need a lot of instructions on setting up SQL :-) you didnt note if you were SELinux enabled and any issues that might befall that - For my own doc purposes that's covered in the Linux guide we use to set up systems, but I'll add a note here. I'm also not sure but does the freeradiusd2 package automatically put the right firewall holes into place too (if not you'd need to add UDP 1812,1813 and 1814 to the incoming rule chain) no it does not. FYI I believe 1813 is actually TCP (empirically working through my firewalls that way). 1814 only necessary if you're using proxy I think. Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
On 12/01/2009 06:31 PM, freerad...@corwyn.net wrote: Well, thanks to an inordinate amount of help, I've got my RADIUS server up and running exactly how I want it to. As part of my business process, I've got a detailed doc on how the server is/was constructed. I'd like to contribute that to the wiki, but I don't see that I can create an account. Thank you Rick for contributing this, I'm sure it will be a help to others. We need more and better documentation. Alan has the ability to create wiki accounts, it can't be done on your own because of concerns over vandalism. If you don't get an account I'd be happy to add this under the Red Hat page or wherever it makes most sense. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 02:39 AM 12/1/2009, Alan DeKok wrote: Because you've forced the ntlm_auth module to be run. That module ONLY checks clear-text passwords, and there is NO clear-text password in the request. Change the line having ... Auth-Type := ntlm_auth, ... to ... Auth-Type = ntlm_auth, ... DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == Infrastructure Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15 DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type=ntlm_auth, Ldap-Group == VPN_Users It runs the LDAP group check, but still lets the user log in even when he's not in the VPN_Users group: rlm_ldap::groupcmp: Group VPN_Users not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for ciscorsteeves [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] expand: ((sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) - ((sAMAccountname=ciscorsteeves)(objectClass=person)) [ldap] expand: OU=Enterprise,DC=example,DC=com - OU=Enterprise,DC=example,DC=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with filter ((sAMAccountname=ciscorsteeves)(objectClass=person)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user ciscorsteeves authorized to use remote access And read man users to see what the difference is. Ahh, man 5 users. cool. Rick Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type=ntlm_auth, Ldap-Group == VPN_Users It runs the LDAP group check, but still lets the user log in even when he's not in the VPN_Users group: Use unlang for better control of what happens: if(Huntrgroup-Name == VPN_Huntgroup) { if(Ldap-Group == VPN_Users) { if(!control:Auth-Type) { update control { Auth-Type = ntlm_auth } } } else { reject } } Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 01:03 PM 12/1/2009, t...@kalik.net wrote: Use unlang for better control of what happens: if(Huntrgroup-Name == VPN_Huntgroup) { if(Ldap-Group == VPN_Users) { if(!control:Auth-Type) { update control { Auth-Type = ntlm_auth } } } else { reject } } If I understand correctly, I don't need to worry about ntlm_auth at all in this case (because with MSCHAP I don't have a cleartext password, and thus ntlm_auth won't do me any good), so I probably don't need to update the Auth-Type? So I think what I need is: if(Huntgroup-Name == VPN_Huntgroup) { if(Ldap-Group == VPN_Users) { } else { reject } } woudl that unlang go into the ./users file? or into the authorization {..} section? Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
If I understand correctly, I don't need to worry about ntlm_auth at all in this case (because with MSCHAP I don't have a cleartext password, and thus ntlm_auth won't do me any good), so I probably don't need to update the Auth-Type? If you are sure that all requests will be mschap. That if will work just if it's a pap request. So I think what I need is: if(Huntgroup-Name == VPN_Huntgroup) { if(Ldap-Group == VPN_Users) { Put just ok in there. It might not like empty brackets. } else { reject } } woudl that unlang go into the ./users file? or into the authorization {..} section? authorize. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 01:29 PM 12/1/2009, t...@kalik.net wrote: So I think what I need is: if(Huntgroup-Name == VPN_Huntgroup) { if(Ldap-Group == VPN_Users) { Put just ok in there. It might not like empty brackets. } else { reject } } That did it! Thanks! I think that gets me up 100%. (Now to go write up all the docs for my own paper trail, and get them in shape to go somewhere in the freeradius doc realm) Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
Well, thanks to an inordinate amount of help, I've got my RADIUS server up and running exactly how I want it to. As part of my business process, I've got a detailed doc on how the server is/was constructed. I'd like to contribute that to the wiki, but I don't see that I can create an account. Also, since it drives me nuts when I'm searching on line for a fix, and an email thread ends JUST before I have the data that I need, or a piece is missing, here's that documentation as well Rick Steeves 091201 freeradi...@corwyn.net Setup and configuration instructions, on CentOS 5.x Goals: o Authentication telnet sessions for Cisco switches against AD for a specific security group (Infrastructure) o Authentication for VPN users using MSCHAP on a sonicwall firewall using a Windows VPN client with L2TP against AD for a specific security group (VPN_Users) Install The linux site for the rpm download of freeradius2 is: http://people.redhat.com/jdennis/freeradius-rhel-centos Create /etc/yum.repos.d/freeradius2.repo: [freeradius2] name=Freeradius2 baseurl=http://people.redhat.com/jdennis/freeradius-rhel-centos enabled=1 gpgenabled=0 Install freeradius2: yum install freeradius2 freeradius2-utils freeradius2-ldap Enable FreeRadius to start on boot: chkconfig radiusd on To start the freeRadius service service radiusd start To run the service in debug mode (which you should be doing until everything works): service radiusd stop radiusd X Configuration http://deployingradius.com/documents/configuration/active_directory.html Note that the configuring of SAMBA, kerberos, and adding to the domain should already be done as part of the default Linux install, see h:\is\operating system\Linux\Guide_linux.doc Verify that a user in the domain can be authenticated: wbinfo -a user%password Try the same login with the ntlm_auth program, which is what FreeRADIUS will be using: ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user --password=password ./raddb/radiusd.conf (see Appendix C) Update max_requests to # users * 256 Add to the end of the auth listen {..} clients = disambiguate Add to the end of the acct listen {..} clients = disambiguate Add to the end of the modules{..} section: exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth ntlm_auth --request-nt-key --domain=example.com -username=%{mschap:User-Name} --password=%{User-Password} } In log {..} auth = yes huntgroups huntgroups let you restrict which clients are associated with which user. You will need to add each IP of each device that will be using the RADIUS server, and associate it with the correct huntgroup. This will let the ./users file associate the user with the appropriate device: /etc/radbb/huntgroups: Cisco_Huntgroup NAS-IP-Address == 10.100.0.1 Cisco_Huntgroup NAS-IP-Address == 10.100.0.2 Cisco_Huntgroup NAS-IP-Address == 10.100.0.3 VPN_Huntgroup NAS-IP-Address == 10.4.1.2 ./raddb/modules/ldap (See appendix D) If this file is missing, you need to install the RPM for freeradius2-ldap. This section is one of the biggest pains to configure, as all of your LDAP strings need to be 100% correct, andt hey will be very specific to the environment. Of course, update server, identify, password, basedn for your own environment. You will need a user account in AD to permit the bind to LDAP. In this example, that account is in: CN=_useraccount,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com In this example, the Security groups are located in (or below): OU=Enterprise,DC=example,DC=com ldap { server = example.com identity = CN=_useraccount,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com password = secretpassword basedn = OU=Enterprise,DC=example,DC=com filter = ((sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) groupmembership_attribute = memberOf ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) } Configuration of different virtual sites For this you'll have 3 general sites, default (used mostly for testing on 127.0.0.1), server_cisco (used to AAA the Cisco users), and server_vpn (used to AAA the VPN users). inner-tunnel Add: ntlm_auth to the end of the authenticate{..} section default Add: ntlm_auth to the end of the authenticate{..} section server_cisco (see Appendix B) We're going to duplicate the default config, and modify it for that particular virtual server: cp
RE: separating Users?
Read the comments in the huntgroups file in the raddb directory. This will show you how to setup a huntgroup which can be used to authorize users based on the switch (NAS) sending the authentication request. Tim -Original Message- From: freeradius-users- bounces+tim.sylvester=networkradius@lists.freeradius.org [mailto:freeradius-users- bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf Of freerad...@corwyn.net Sent: Monday, November 30, 2009 11:54 AM To: FreeRadius users mailing list Subject: separating Users? There's a piece of RADIUS that I'm not understanding. If I have an entry in my ./users file DEFAULT Auth-Type:=Accept,Ldap-Group == Group1 Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv- lvl=15 And another entry DEFAULT Auth-Type:=Accept,Ldap-Group == Group2 Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv- lvl=15 where I'm trying to authorize users in Group1 for one set of switches, and users in Group2 for another set of switches, how does freeradius know which is which? Rick Rick Steeves http://www.sinister.net In reality nothing is more damaging to the adventurous spirit within a man than a secure future - Alexander Supertramp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
On 11/30/2009 02:54 PM, freerad...@corwyn.net wrote: There's a piece of RADIUS that I'm not understanding. If I have an entry in my ./users file DEFAULT Auth-Type:=Accept,Ldap-Group == Group1 Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv-lvl=15 And another entry DEFAULT Auth-Type:=Accept,Ldap-Group == Group2 Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv-lvl=15 where I'm trying to authorize users in Group1 for one set of switches, and users in Group2 for another set of switches, how does freeradius know which is which? I assume you're asking how does FreeRADIUS know which switch the request is associated with, correct? Typically this is done with huntgroups which adds a huntgroup name to the request based on the IP address of the NAS. You then perform different operations based on the huntgroup name. See the huntgroups file for more documentation or the wiki howto for how to implement huntgroups in SQL. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
freerad...@corwyn.net wrote: There's a piece of RADIUS that I'm not understanding. If I have an entry in my ./users file DEFAULT Auth-Type:=Accept,Ldap-Group == Group1 Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv-lvl=15 And another entry DEFAULT Auth-Type:=Accept,Ldap-Group == Group2 Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv-lvl=15 where I'm trying to authorize users in Group1 for one set of switches, and users in Group2 for another set of switches, how does freeradius know which is which? You want something like this in huntgroups. It will assign the huntgroup based on the value of NAS-IP-Address. cisco NAS-IP-Address == 10.0.0.1 cisco NAS-IP-Address == 10.0.0.2 And then in your users file: DEFAULT Ldap-Group == cisco-admin, Huntgroup-Name == cisco Service-Type := Administrative-User, Reply-Message := Authorized Users Only DEFAULT Ldap-Group == cisco-user, Huntgroup-Name == cisco Service-Type := NAS-Prompt-User, Reply-Message := Authorized Users Only This gives the different classes of users different levels of access to the same devices. It should be clear though how to make it do what you want. I see several potential problems in your config. 1) Don't specify the Auth-Type. You still want to check the password I assume. I think your config will let in any user who is in group Group1 irrespective of the supplied password. 2) You don't specify the requirement to match a huntgroup name. All of the match clauses should be provided comma separated after DEFAULT. 3) You probably don't want the '=' operator, as it will not replace an existing entry in the reply. The ':=' will replace an existing entry. This probably isn't a problem in you case, but I would do it anyway. 4) I never had much luck with that priv-lvl=15 AV pair. I have both CatOS and IOS devices respecting the Service-Type AV though. -David Mitchell Rick Rick Steeves http://www.sinister.net In reality nothing is more damaging to the adventurous spirit within a man than a secure future - Alexander Supertramp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 03:27 PM 11/30/2009, David Mitchell wrote: 1) Don't specify the Auth-Type. You still want to check the password I assume. I think your config will let in any user who is in group Group1 irrespective of the supplied password. Sigh. Here I was all excited that I had everything working, and was merrily working on my docs and making them into a HOWTO. And you're right on target. Correct user ID any password permits access. So here's my users file once I take that out: DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group == Infrastructure Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15 DEFAULT Auth-Type = ntlm_auth And now it doesn't work. Authentication failed. If I switch the order I get: Authorization failed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
On 11/30/2009 05:07 PM, freerad...@corwyn.net wrote: At 03:27 PM 11/30/2009, David Mitchell wrote: 1) Don't specify the Auth-Type. You still want to check the password I assume. I think your config will let in any user who is in group Group1 irrespective of the supplied password. Sigh. Here I was all excited that I had everything working, and was merrily working on my docs and making them into a HOWTO. And you're right on target. Correct user ID any password permits access. So here's my users file once I take that out: DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group == Infrastructure Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15 DEFAULT Auth-Type = ntlm_auth And now it doesn't work. Authentication failed. If I switch the order I get: Authorization failed You need to set fall-through so that you still do per user processing. This is documented in the raddb/users file and you should also read doc/processing_users_file -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
On 11/30/2009 05:07 PM, freerad...@corwyn.net wrote: At 03:27 PM 11/30/2009, David Mitchell wrote: 1) Don't specify the Auth-Type. You still want to check the password I assume. I think your config will let in any user who is in group Group1 irrespective of the supplied password. Sigh. Here I was all excited that I had everything working, and was merrily working on my docs and making them into a HOWTO. And you're right on target. Correct user ID any password permits access. So here's my users file once I take that out: DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group == Infrastructure Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15 DEFAULT Auth-Type = ntlm_auth And now it doesn't work. Authentication failed. If I switch the order I get: Authorization failed You need to set fall-through so that you still do per user processing. This is documented in the raddb/users file and you should also read doc/processing_users_file Or just add Auth-Type := ntlm_auth to the first line (ie. instead of Accept). Fall-Through is more elegant since you don't have to add Auth-Type to every DEFAULT entry. Ivan Kalik Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 06:12 PM 11/30/2009, t...@kalik.net wrote: You need to set fall-through so that you still do per user processing. This is documented in the raddb/users file and you should also read doc/processing_users_file Or just add Auth-Type := ntlm_auth to the first line (ie. instead of Accept). Fall-Through is more elegant since you don't have to add Auth-Type to every DEFAULT entry. Yup, both of those work, and I'm to the point I understand why! What I think is my final problem. I'm now working to authenticate VPN users in the same scenario, using the l2tp client in windows. Looks like everything automatically picks up that it's a MSCHAP request. Using a similar logic: DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == VPN_Users The only problem is that it appears to ignore my LDAP group, and just authenticate ANY user (with a valid User ID/ Password) regardless of LDAP group. rad_recv: Access-Request packet from host 10.4.1.2 port 1924, id=55, length=129 User-Name = notvpnuser MS-CHAP-Challenge = 0x85e6507f219630664491c4e1bbeee67b MS-CHAP2-Response = 0x0100cc49a55de60f33a16e0afd73fb10d7ddeb6a17be2a61ce216acf7f23fce99bd216afceacc6f81ba4 NAS-IP-Address = 10.4.1.2 NAS-Port = 0 server server_vpn { +- entering group authorize {...} ++[preprocess] returns ok [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok rlm_ldap: Entering ldap_groupcmp() [files] expand: OU=Enterprise,DC=int,DC=example,DC=com - OU=Enterprise,DC=int,DC=example,DC=com [files] WARNING: Deprecated conditional expansion :-. See man unlang for details [files] expand: ((sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) - ((sAMAccountname=notvpnuser)(objectClass=person)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to int.example.com:389, authentication 0 rlm_ldap: bind as CN=_sonicwall,OU=Service Accounts,OU=Special User Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I to int.example.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in OU=Enterprise,DC=int,DC=example,DC=com, with filter ((sAMAccountname=notvpnuser)(objectClass=person)) rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) - (|((objectClass=GroupOfNames)(member=CN\3dcisco rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Enterprise,DC=int,DC=example,DC=com, with filter ((cn=VPN_Users)(|((objectClass=GroupOfNames)(member=CN\3dcisco rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=cisco rsteeves,OU=IS,OU=Users,OU=Enterprise,DC=int,DC=example,DC=com, with filter (objectclass=*) rlm_ldap: performing search in CN=Infrastructure,OU=Security Groups,OU=Enterprise,DC=int,DC=example,DC=com, with filter (cn=VPN_Users) rlm_ldap: object not found rlm_ldap::groupcmp: Group VPN_Users not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for notvpnuser [ldap] WARNING: Deprecated conditional expansion :-. See man unlang for details [ldap] expand: ((sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person)) - ((sAMAccountname=notvpnuser)(objectClass=person)) [ldap] expand: OU=Enterprise,DC=int,DC=example,DC=com - OU=Enterprise,DC=int,DC=example,DC=com rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Enterprise,DC=int,DC=example,DC=com, with filter ((sAMAccountname=notvpnuser)(objectClass=person)) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user notvpnuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for notvpnuser with NT-Password [mschap]expand: --username=%{mschap:User-Name} -
Re: separating Users?
What I think is my final problem. I'm now working to authenticate VPN users in the same scenario, using the l2tp client in windows. Looks like everything automatically picks up that it's a MSCHAP request. Using a similar logic: DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == VPN_Users The only problem is that it appears to ignore my LDAP group, and just authenticate ANY user (with a valid User ID/ Password) regardless of LDAP group. Yes, if that DEFAULT entry doesn't match - it will get ignored. If you want authentication to fail if such conditions are not met you need to add Auth-Type to it. If there is no Fall-Through to DEFAULT forcing ntlm_auth, Auth-Type won't be set and authentication will fail. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 09:41 PM 11/30/2009, you wrote: Yes, if that DEFAULT entry doesn't match - it will get ignored. If you want authentication to fail if such conditions are not met you need to add Auth-Type to it. If there is no Fall-Through to DEFAULT forcing ntlm_auth, Auth-Type won't be set and authentication will fail. so if ./users: DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == Infrastructure Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15, DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == VPN_Users it should work? I think even with the Auth-Type specified as ntm_auth, a Auth-Type is being set, as it's finding MSCHAP for me: radiusd -X gives: Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} If I remark out: # Auth-Type MS-CHAP { # mschap # } from my server config, that stops it from being found, but then I lose the password for ntlm_auth I think: Found Auth-Type = ntlm_auth +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} - --username=rsteeves [ntlm_auth] expand: --password=%{User-Password} - --password= Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a) Is that going to be a limitation of using MSCHAP/MSCHAP2? Rick Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
freerad...@corwyn.net wrote: so if ./users: DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == Infrastructure Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15, DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == VPN_Users it should work? No. I think even with the Auth-Type specified as ntm_auth, a Auth-Type is being set, as it's finding MSCHAP for me: Because the NAS is sending MS-CHAP requests. from my server config, that stops it from being found, but then I lose the password for ntlm_auth I think: Because you've forced the ntlm_auth module to be run. That module ONLY checks clear-text passwords, and there is NO clear-text password in the request. Change the line having ... Auth-Type := ntlm_auth, ... to ... Auth-Type = ntlm_auth, ... And read man users to see what the difference is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html