Re: AD, Groups, and LDAP (was Re: separating Users?)
freerad...@corwyn.net wrote: no it does not. FYI I believe 1813 is actually TCP (empirically working through my firewalls that way). 1813 is RADIUS accounting. It's currently over UDP. RADIUS over TCP is coming, too. 1814 only necessary if you're using proxy I think. 1814, *and* any other randomly assigned port when the proxy opens a new socket. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD, Groups, and LDAP (was Re: separating Users?)
freerad...@corwyn.net wrote:
Having just followed all of those instructions to build out my
production systems, I have a few tweaks to fix all those little things
that drive one insane when following someone's instructions because they
never tested them.
Thanks. Here's a short review.
Note that the configuring of SAMBA, kerberos, and adding to the domain
should already be done as part of the default Linux install, see
h:\is\operating system\Linux\Guide_linux.doc
This file is... ?
Verify that a user in the domain can be authenticated:
wbinfo -a user%password
Try the same login with the ntlm_auth program, which is what FreeRADIUS
will be using:
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user
--password=password
/etc/raddb/radiusd.conf (see Appendix C)
Update max_requests to # users * 256
That isn't necessary. It should be no more than max request/s *
max_request_time.
Add to the end of the auth listen {..} (to permit groups of clients)
clients = disambiguate
Add to the end of the acct listen {..} (to permit groups of clients)
clients = disambiguate
I don't understand why this is necessary. All it does is put the
clients into a sub-section. There's no additional value or capabilities
in doing this.
Since we're not using any of these methods for the Ciscos, in
authenticate{..} disable: chap, mschap, suffix, ntdomain, unix, pap
Add to the end of the authorize{..} section:
ntlm_auth
Or to the end of the authenticate section?
Note: The secret needs to match the secret set on the respective client.
Change the secret to an actual secret
clients disambiguate {
Again, there's no reason for this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD, Groups, and LDAP (was Re: separating Users?)
At 04:33 AM 12/4/2009, Alan DeKok wrote:
freerad...@corwyn.net wrote:
Note that the configuring of SAMBA, kerberos, and adding to the domain
should already be done as part of the default Linux install, see
h:\is\operating system\Linux\Guide_linux.doc
This file is... ?
Heh, part of our internal documentation structure. As long as I'm
copy/pasting this from that, it's likely to stay in there.
Update max_requests to # users * 256
That isn't necessary. It should be no more than max request/s *
max_request_time.
Well the docs say:
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by the number of clients.
# e.g. With 4 clients, this number should be 1024.
so I was just doing what this said.
Add to the end of the acct listen {..} (to permit groups of clients)
clients = disambiguate
I don't understand why this is necessary. All it does is put the
clients into a sub-section. There's no additional value or capabilities
in doing this.
I probably picked this up from one of the random docs while trying to
puzzle things out that weren't clear. Since it helps show how to use
a subsection, it's useful to me.
Since we're not using any of these methods for the Ciscos, in
authenticate{..} disable: chap, mschap, suffix, ntdomain, unix, pap
Add to the end of the authorize{..} section:
ntlm_auth
Or to the end of the authenticate section?
d'oh! good catch (it's right in the appendix at least)
Thanks!
Rick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD, Groups, and LDAP (was Re: separating Users?)
freerad...@corwyn.net wrote: Update max_requests to # users * 256 That isn't necessary. It should be no more than max request/s * max_request_time. Well the docs say: # max_requests: The maximum number of requests which the server keeps # track of. This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. so I was just doing what this said. No. users are not clients. Users are people logging in. RADIUS clients are NAS machines. I probably picked this up from one of the random docs while trying to puzzle things out that weren't clear. Since it helps show how to use a subsection, it's useful to me. The problem for a *public* document is that unnecessary pieces confuse people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD, Groups, and LDAP (was Re: separating Users?)
At 11:00 AM 12/4/2009, Alan DeKok wrote: freerad...@corwyn.net wrote: Update max_requests to # users * 256 That isn't necessary. It should be no more than max request/s * max_request_time. Well the docs say: # max_requests: The maximum number of requests which the server keeps # track of. This should be 256 multiplied by the number of clients. # e.g. With 4 clients, this number should be 1024. No. users are not clients. Users are people logging in. RADIUS clients are NAS machines. Ah! cool, thx. Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD, Groups, and LDAP (was Re: separating Users?)
Having just followed all of those instructions to
build out my production systems, I have a few
tweaks to fix all those little things that drive
one insane when following someone's instructions
because they never tested them.
Using FreeRADIUS2
Rick Steeves 091203
freeradi...@corwyn.net
Setup, configuration, troubleshooting instructions, on CentOS 5.x
Goals:
o Authentication telnet sessions for Cisco
switches against AD for a specific security group (Infrastructure)
o Authentication for VPN users using MSCHAP
on a sonicwall firewall using a Windows VPN
client with L2TP against AD for a specific security group (VPN_Users)
Install
The linux site for the rpm download of freeradius2 is:
http://people.redhat.com/jdennis/freeradius-rhel-centos
Create /etc/yum.repos.d/freeradius2.repo:
[freeradius2]
name=Freeradius2
baseurl=http://people.redhat.com/jdennis/freeradius-rhel-centos
enabled=1
gpgcheck=0
Install freeradius2:
yum clean all
yum install freeradius2 freeradius2-utils freeradius2-ldap
Enable FreeRadius to start on boot:
chkconfig radiusd on
To start the freeRadius service
service radiusd start
To run the service in debug mode (which you
should be doing until everything works):
service radiusd stop
radiusd X
Quirks
If you get an error from the output of radiusd X along the lines of:
Exec-Program output: winbind client not
authorized to use winbindd_pam_auth_crap. Ensure
permissions on
/var/cache/samba/winbindd_privileged are set correctly. (0xc022)
then the issue is that radiusd doesn't have
access to the winbindd_privileged folder. You can fix with:
chgrp radiusd /var/cache/samba/winbindd_privileged
chmod g+rw /var/cache/samba/winbindd_privileged
Configuration
See http://deployingradius.com/documents/configuration/active_directory.html
Note that the configuring of SAMBA, kerberos, and
adding to the domain should already be done as
part of the default Linux install, see
h:\is\operating system\Linux\Guide_linux.doc
Verify that a user in the domain can be authenticated:
wbinfo -a user%password
Try the same login with the ntlm_auth program,
which is what FreeRADIUS will be using:
ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=user --password=password
/etc/raddb/radiusd.conf (see Appendix C)
Update max_requests to # users * 256
Add to the end of the auth listen {..} (to permit groups of clients)
clients = disambiguate
Add to the end of the acct listen {..} (to permit groups of clients)
clients = disambiguate
Add to the end of the modules{..} section: (to
enable ntlm_auth as an authentication method)
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth ntlm_auth
--request-nt-key --domain=example.com
-username=%{mschap:User-Name} --password=%{User-Password}
}
In log{..}
auth = yes (to log authentication requests)
/etc/raddb/huntgroups
huntgroups let you restrict which clients are
associated with which user. You will need to add
each IP of each device that will be using the
RADIUS server, and associate it with the correct
huntgroup. This will let the /etc/raddb/users
file associate the user with the appropriate device:
/etc/radbb/huntgroups:
Cisco_Huntgroup NAS-IP-Address == 10.100.0.1
Cisco_Huntgroup NAS-IP-Address == 10.100.0.2
Cisco_Huntgroup NAS-IP-Address == 10.100.0.3
VPN_Huntgroup NAS-IP-Address == 10.4.1.2
/etc/raddb/modules/ldap
If this file is missing, you need to install the RPM for freeradius2-ldap.
This section is one of the biggest pains to
configure, as all of your LDAP strings need to be
100% correct, andt hey will be very specific to
the environment. Of course, update server,
identify, password, basedn for your own environment.
You will need a user account in AD to permit the
bind to LDAP. In this example, that account is in:
CN=_useraccount,OU=Service Accounts,OU=Special
User Accounts,OU=Enterprise,DC=example,DC=com
In this example, the Security groups are located in (or below):
OU=Enterprise,DC=example,DC=com
ldap {
server = example.com
identity = CN=_useraccount,OU=Service
Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com
password = secretpassword
basedn = OU=Enterprise,DC=example,DC=com
filter =
((sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
groupmembership_attribute = memberOf
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
}
Configuration of different virtual sites
For this you'll have 3 general sites, default
(used mostly for
Re: AD, Groups, and LDAP (was Re: separating Users?)
Hi, Install freeradius2: yum clean all yum install freeradius2 freeradius2-utils freeradius2-ldap note, there are other packages should you need eg SQL support Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) then the issue is that radiusd doesn't have access to the winbindd_privileged folder. You can fix with: chgrp radiusd /var/cache/samba/winbindd_privileged chmod g+rw /var/cache/samba/winbindd_privileged ..and we very very aware that if you install a SAMBA update (eg theres an update released) then the post-install of the SAMBA will reblat those permissions! :-( you didnt note if you were SELinux enabled and any issues that might befall that - I'm also not sure but does the freeradiusd2 package automatically put the right firewall holes into place too (if not you'd need to add UDP 1812,1813 and 1814 to the incoming rule chain) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD, Groups, and LDAP (was Re: separating Users?)
At 05:27 PM 12/3/2009, Alan Buxey wrote: note, there are other packages should you need eg SQL support Not if you're not using SQL support (which I'm not). You'd them also need a lot of instructions on setting up SQL :-) you didnt note if you were SELinux enabled and any issues that might befall that - For my own doc purposes that's covered in the Linux guide we use to set up systems, but I'll add a note here. I'm also not sure but does the freeradiusd2 package automatically put the right firewall holes into place too (if not you'd need to add UDP 1812,1813 and 1814 to the incoming rule chain) no it does not. FYI I believe 1813 is actually TCP (empirically working through my firewalls that way). 1814 only necessary if you're using proxy I think. Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
On 12/01/2009 06:31 PM, freerad...@corwyn.net wrote: Well, thanks to an inordinate amount of help, I've got my RADIUS server up and running exactly how I want it to. As part of my business process, I've got a detailed doc on how the server is/was constructed. I'd like to contribute that to the wiki, but I don't see that I can create an account. Thank you Rick for contributing this, I'm sure it will be a help to others. We need more and better documentation. Alan has the ability to create wiki accounts, it can't be done on your own because of concerns over vandalism. If you don't get an account I'd be happy to add this under the Red Hat page or wherever it makes most sense. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 02:39 AM 12/1/2009, Alan DeKok wrote:
Because you've forced the ntlm_auth module to be run. That module
ONLY checks clear-text passwords, and there is NO clear-text password in
the request.
Change the line having
... Auth-Type := ntlm_auth, ...
to
... Auth-Type = ntlm_auth, ...
DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth,
Ldap-Group == Infrastructure
Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15
DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type=ntlm_auth,
Ldap-Group == VPN_Users
It runs the LDAP group check, but still lets the user log in even
when he's not in the VPN_Users group:
rlm_ldap::groupcmp: Group VPN_Users not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for ciscorsteeves
[ldap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[ldap] expand:
((sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
- ((sAMAccountname=ciscorsteeves)(objectClass=person))
[ldap] expand: OU=Enterprise,DC=example,DC=com -
OU=Enterprise,DC=example,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Enterprise,DC=example,DC=com, with
filter ((sAMAccountname=ciscorsteeves)(objectClass=person))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user ciscorsteeves authorized to use remote access
And read man users to see what the difference is.
Ahh, man 5 users. cool.
Rick
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type=ntlm_auth,
Ldap-Group == VPN_Users
It runs the LDAP group check, but still lets the user log in even
when he's not in the VPN_Users group:
Use unlang for better control of what happens:
if(Huntrgroup-Name == VPN_Huntgroup) {
if(Ldap-Group == VPN_Users) {
if(!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth
}
}
}
else {
reject
}
}
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 01:03 PM 12/1/2009, t...@kalik.net wrote:
Use unlang for better control of what happens:
if(Huntrgroup-Name == VPN_Huntgroup) {
if(Ldap-Group == VPN_Users) {
if(!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth
}
}
}
else {
reject
}
}
If I understand correctly, I don't need to worry about ntlm_auth at
all in this case (because with MSCHAP I don't have a cleartext
password, and thus ntlm_auth won't do me any good), so I probably
don't need to update the Auth-Type?
So I think what I need is:
if(Huntgroup-Name == VPN_Huntgroup) {
if(Ldap-Group == VPN_Users) {
}
else {
reject
}
}
woudl that unlang go into the ./users file? or into the
authorization {..} section?
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
If I understand correctly, I don't need to worry about ntlm_auth at
all in this case (because with MSCHAP I don't have a cleartext
password, and thus ntlm_auth won't do me any good), so I probably
don't need to update the Auth-Type?
If you are sure that all requests will be mschap. That if will work just
if it's a pap request.
So I think what I need is:
if(Huntgroup-Name == VPN_Huntgroup) {
if(Ldap-Group == VPN_Users) {
Put just ok in there. It might not like empty brackets.
}
else {
reject
}
}
woudl that unlang go into the ./users file? or into the
authorization {..} section?
authorize.
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 01:29 PM 12/1/2009, t...@kalik.net wrote:
So I think what I need is:
if(Huntgroup-Name == VPN_Huntgroup) {
if(Ldap-Group == VPN_Users) {
Put just ok in there. It might not like empty brackets.
}
else {
reject
}
}
That did it! Thanks! I think that gets me up 100%.
(Now to go write up all the docs for my own paper trail, and get them
in shape to go somewhere in the freeradius doc realm)
Rick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
Well, thanks to an inordinate amount of help,
I've got my RADIUS server up and running exactly how I want it to.
As part of my business process, I've got a
detailed doc on how the server is/was
constructed. I'd like to contribute that to the
wiki, but I don't see that I can create an account.
Also, since it drives me nuts when I'm searching
on line for a fix, and an email thread ends JUST
before I have the data that I need, or a piece is
missing, here's that documentation as well
Rick Steeves 091201
freeradi...@corwyn.net
Setup and configuration instructions, on CentOS 5.x
Goals:
o Authentication telnet sessions for Cisco
switches against AD for a specific security group (Infrastructure)
o Authentication for VPN users using MSCHAP
on a sonicwall firewall using a Windows VPN
client with L2TP against AD for a specific security group (VPN_Users)
Install
The linux site for the rpm download of freeradius2 is:
http://people.redhat.com/jdennis/freeradius-rhel-centos
Create /etc/yum.repos.d/freeradius2.repo:
[freeradius2]
name=Freeradius2
baseurl=http://people.redhat.com/jdennis/freeradius-rhel-centos
enabled=1
gpgenabled=0
Install freeradius2:
yum install freeradius2 freeradius2-utils freeradius2-ldap
Enable FreeRadius to start on boot:
chkconfig radiusd on
To start the freeRadius service
service radiusd start
To run the service in debug mode (which you
should be doing until everything works):
service radiusd stop
radiusd X
Configuration
http://deployingradius.com/documents/configuration/active_directory.html
Note that the configuring of SAMBA, kerberos, and
adding to the domain should already be done as
part of the default Linux install, see
h:\is\operating system\Linux\Guide_linux.doc
Verify that a user in the domain can be authenticated:
wbinfo -a user%password
Try the same login with the ntlm_auth program,
which is what FreeRADIUS will be using:
ntlm_auth --request-nt-key --domain=MYDOMAIN
--username=user --password=password
./raddb/radiusd.conf (see Appendix C)
Update max_requests to # users * 256
Add to the end of the auth listen {..}
clients = disambiguate
Add to the end of the acct listen {..}
clients = disambiguate
Add to the end of the modules{..} section:
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth ntlm_auth
--request-nt-key --domain=example.com
-username=%{mschap:User-Name} --password=%{User-Password}
}
In log {..}
auth = yes
huntgroups
huntgroups let you restrict which clients are
associated with which user. You will need to add
each IP of each device that will be using the
RADIUS server, and associate it with the correct
huntgroup. This will let the ./users file
associate the user with the appropriate device:
/etc/radbb/huntgroups:
Cisco_Huntgroup NAS-IP-Address == 10.100.0.1
Cisco_Huntgroup NAS-IP-Address == 10.100.0.2
Cisco_Huntgroup NAS-IP-Address == 10.100.0.3
VPN_Huntgroup NAS-IP-Address == 10.4.1.2
./raddb/modules/ldap (See appendix D)
If this file is missing, you need to install the RPM for freeradius2-ldap.
This section is one of the biggest pains to
configure, as all of your LDAP strings need to be
100% correct, andt hey will be very specific to
the environment. Of course, update server,
identify, password, basedn for your own environment.
You will need a user account in AD to permit the
bind to LDAP. In this example, that account is in:
CN=_useraccount,OU=Service Accounts,OU=Special
User Accounts,OU=Enterprise,DC=example,DC=com
In this example, the Security groups are located in (or below):
OU=Enterprise,DC=example,DC=com
ldap {
server = example.com
identity = CN=_useraccount,OU=Service
Accounts,OU=Special User Accounts,OU=Enterprise,DC=example,DC=com
password = secretpassword
basedn = OU=Enterprise,DC=example,DC=com
filter =
((sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
groupmembership_attribute = memberOf
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
}
Configuration of different virtual sites
For this you'll have 3 general sites, default
(used mostly for testing on 127.0.0.1),
server_cisco (used to AAA the Cisco users), and
server_vpn (used to AAA the VPN users).
inner-tunnel
Add:
ntlm_auth
to the end of the authenticate{..} section
default
Add:
ntlm_auth
to the end of the authenticate{..} section
server_cisco (see Appendix B)
We're going to duplicate the default config, and
modify it for that particular virtual server:
cp
RE: separating Users?
Read the comments in the huntgroups file in the raddb directory. This will show you how to setup a huntgroup which can be used to authorize users based on the switch (NAS) sending the authentication request. Tim -Original Message- From: freeradius-users- bounces+tim.sylvester=networkradius@lists.freeradius.org [mailto:freeradius-users- bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf Of freerad...@corwyn.net Sent: Monday, November 30, 2009 11:54 AM To: FreeRadius users mailing list Subject: separating Users? There's a piece of RADIUS that I'm not understanding. If I have an entry in my ./users file DEFAULT Auth-Type:=Accept,Ldap-Group == Group1 Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv- lvl=15 And another entry DEFAULT Auth-Type:=Accept,Ldap-Group == Group2 Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv- lvl=15 where I'm trying to authorize users in Group1 for one set of switches, and users in Group2 for another set of switches, how does freeradius know which is which? Rick Rick Steeves http://www.sinister.net In reality nothing is more damaging to the adventurous spirit within a man than a secure future - Alexander Supertramp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
On 11/30/2009 02:54 PM, freerad...@corwyn.net wrote: There's a piece of RADIUS that I'm not understanding. If I have an entry in my ./users file DEFAULT Auth-Type:=Accept,Ldap-Group == Group1 Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv-lvl=15 And another entry DEFAULT Auth-Type:=Accept,Ldap-Group == Group2 Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv-lvl=15 where I'm trying to authorize users in Group1 for one set of switches, and users in Group2 for another set of switches, how does freeradius know which is which? I assume you're asking how does FreeRADIUS know which switch the request is associated with, correct? Typically this is done with huntgroups which adds a huntgroup name to the request based on the IP address of the NAS. You then perform different operations based on the huntgroup name. See the huntgroups file for more documentation or the wiki howto for how to implement huntgroups in SQL. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
freerad...@corwyn.net wrote: There's a piece of RADIUS that I'm not understanding. If I have an entry in my ./users file DEFAULT Auth-Type:=Accept,Ldap-Group == Group1 Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv-lvl=15 And another entry DEFAULT Auth-Type:=Accept,Ldap-Group == Group2 Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv-lvl=15 where I'm trying to authorize users in Group1 for one set of switches, and users in Group2 for another set of switches, how does freeradius know which is which? You want something like this in huntgroups. It will assign the huntgroup based on the value of NAS-IP-Address. cisco NAS-IP-Address == 10.0.0.1 cisco NAS-IP-Address == 10.0.0.2 And then in your users file: DEFAULT Ldap-Group == cisco-admin, Huntgroup-Name == cisco Service-Type := Administrative-User, Reply-Message := Authorized Users Only DEFAULT Ldap-Group == cisco-user, Huntgroup-Name == cisco Service-Type := NAS-Prompt-User, Reply-Message := Authorized Users Only This gives the different classes of users different levels of access to the same devices. It should be clear though how to make it do what you want. I see several potential problems in your config. 1) Don't specify the Auth-Type. You still want to check the password I assume. I think your config will let in any user who is in group Group1 irrespective of the supplied password. 2) You don't specify the requirement to match a huntgroup name. All of the match clauses should be provided comma separated after DEFAULT. 3) You probably don't want the '=' operator, as it will not replace an existing entry in the reply. The ':=' will replace an existing entry. This probably isn't a problem in you case, but I would do it anyway. 4) I never had much luck with that priv-lvl=15 AV pair. I have both CatOS and IOS devices respecting the Service-Type AV though. -David Mitchell Rick Rick Steeves http://www.sinister.net In reality nothing is more damaging to the adventurous spirit within a man than a secure future - Alexander Supertramp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 03:27 PM 11/30/2009, David Mitchell wrote: 1) Don't specify the Auth-Type. You still want to check the password I assume. I think your config will let in any user who is in group Group1 irrespective of the supplied password. Sigh. Here I was all excited that I had everything working, and was merrily working on my docs and making them into a HOWTO. And you're right on target. Correct user ID any password permits access. So here's my users file once I take that out: DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group == Infrastructure Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15 DEFAULT Auth-Type = ntlm_auth And now it doesn't work. Authentication failed. If I switch the order I get: Authorization failed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
On 11/30/2009 05:07 PM, freerad...@corwyn.net wrote: At 03:27 PM 11/30/2009, David Mitchell wrote: 1) Don't specify the Auth-Type. You still want to check the password I assume. I think your config will let in any user who is in group Group1 irrespective of the supplied password. Sigh. Here I was all excited that I had everything working, and was merrily working on my docs and making them into a HOWTO. And you're right on target. Correct user ID any password permits access. So here's my users file once I take that out: DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group == Infrastructure Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15 DEFAULT Auth-Type = ntlm_auth And now it doesn't work. Authentication failed. If I switch the order I get: Authorization failed You need to set fall-through so that you still do per user processing. This is documented in the raddb/users file and you should also read doc/processing_users_file -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
On 11/30/2009 05:07 PM, freerad...@corwyn.net wrote: At 03:27 PM 11/30/2009, David Mitchell wrote: 1) Don't specify the Auth-Type. You still want to check the password I assume. I think your config will let in any user who is in group Group1 irrespective of the supplied password. Sigh. Here I was all excited that I had everything working, and was merrily working on my docs and making them into a HOWTO. And you're right on target. Correct user ID any password permits access. So here's my users file once I take that out: DEFAULT Huntgroup-Name == Cisco_Huntgroup, Ldap-Group == Infrastructure Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15 DEFAULT Auth-Type = ntlm_auth And now it doesn't work. Authentication failed. If I switch the order I get: Authorization failed You need to set fall-through so that you still do per user processing. This is documented in the raddb/users file and you should also read doc/processing_users_file Or just add Auth-Type := ntlm_auth to the first line (ie. instead of Accept). Fall-Through is more elegant since you don't have to add Auth-Type to every DEFAULT entry. Ivan Kalik Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 06:12 PM 11/30/2009, t...@kalik.net wrote:
You need to set fall-through so that you still do per user processing.
This is documented in the raddb/users file and you should also read
doc/processing_users_file
Or just add Auth-Type := ntlm_auth to the first line (ie. instead of
Accept). Fall-Through is more elegant since you don't have to add
Auth-Type to every DEFAULT entry.
Yup, both of those work, and I'm to the point I understand why!
What I think is my final problem. I'm now working to authenticate
VPN users in the same scenario, using the l2tp client in
windows. Looks like everything automatically picks up that it's a
MSCHAP request.
Using a similar logic:
DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == VPN_Users
The only problem is that it appears to ignore my LDAP group, and just
authenticate ANY user (with a valid User ID/ Password) regardless of
LDAP group.
rad_recv: Access-Request packet from host 10.4.1.2 port 1924, id=55, length=129
User-Name = notvpnuser
MS-CHAP-Challenge = 0x85e6507f219630664491c4e1bbeee67b
MS-CHAP2-Response =
0x0100cc49a55de60f33a16e0afd73fb10d7ddeb6a17be2a61ce216acf7f23fce99bd216afceacc6f81ba4
NAS-IP-Address = 10.4.1.2
NAS-Port = 0
server server_vpn {
+- entering group authorize {...}
++[preprocess] returns ok
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files] expand: OU=Enterprise,DC=int,DC=example,DC=com -
OU=Enterprise,DC=int,DC=example,DC=com
[files] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[files] expand:
((sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
- ((sAMAccountname=notvpnuser)(objectClass=person))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to int.example.com:389, authentication 0
rlm_ldap: bind as CN=_sonicwall,OU=Service Accounts,OU=Special User
Accounts,OU=Enterprise,DC=int,DC=example,DC=com/wvyjCHCd2LJHcNrmpr0I
to int.example.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in
OU=Enterprise,DC=int,DC=example,DC=com, with filter
((sAMAccountname=notvpnuser)(objectClass=person))
rlm_ldap: ldap_release_conn: Release Id: 0
[files] expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
- (|((objectClass=GroupOfNames)(member=CN\3dcisco
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
OU=Enterprise,DC=int,DC=example,DC=com, with filter
((cn=VPN_Users)(|((objectClass=GroupOfNames)(member=CN\3dcisco
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom))((objectClass=GroupOfUniqueNames)(uniquemember=CN\3dcisco
rsteeves\2cOU\3dIS\2cOU\3dUsers\2cOU\3dEnterprise\2cDC\3dint\2cDC\3dexample\2cDC\3dcom
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=cisco
rsteeves,OU=IS,OU=Users,OU=Enterprise,DC=int,DC=example,DC=com, with
filter (objectclass=*)
rlm_ldap: performing search in CN=Infrastructure,OU=Security
Groups,OU=Enterprise,DC=int,DC=example,DC=com, with filter (cn=VPN_Users)
rlm_ldap: object not found
rlm_ldap::groupcmp: Group VPN_Users not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
[ldap] performing user authorization for notvpnuser
[ldap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[ldap] expand:
((sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
- ((sAMAccountname=notvpnuser)(objectClass=person))
[ldap] expand: OU=Enterprise,DC=int,DC=example,DC=com -
OU=Enterprise,DC=int,DC=example,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in
OU=Enterprise,DC=int,DC=example,DC=com, with filter
((sAMAccountname=notvpnuser)(objectClass=person))
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure
that the user is configured correctly?
[ldap] user notvpnuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for notvpnuser with NT-Password
[mschap]expand: --username=%{mschap:User-Name} -
Re: separating Users?
What I think is my final problem. I'm now working to authenticate VPN users in the same scenario, using the l2tp client in windows. Looks like everything automatically picks up that it's a MSCHAP request. Using a similar logic: DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group == VPN_Users The only problem is that it appears to ignore my LDAP group, and just authenticate ANY user (with a valid User ID/ Password) regardless of LDAP group. Yes, if that DEFAULT entry doesn't match - it will get ignored. If you want authentication to fail if such conditions are not met you need to add Auth-Type to it. If there is no Fall-Through to DEFAULT forcing ntlm_auth, Auth-Type won't be set and authentication will fail. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
At 09:41 PM 11/30/2009, you wrote:
Yes, if that DEFAULT entry doesn't match - it will get ignored. If you
want authentication to fail if such conditions are not met you need to add
Auth-Type to it. If there is no Fall-Through to DEFAULT forcing ntlm_auth,
Auth-Type won't be set and authentication will fail.
so if ./users:
DEFAULT Huntgroup-Name == Cisco_Huntgroup,
Auth-Type:=ntlm_auth, Ldap-Group == Infrastructure
Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15,
DEFAULT Huntgroup-Name == VPN_Huntgroup,
Auth-Type:=ntlm_auth, Ldap-Group == VPN_Users
it should work? I think even with the Auth-Type specified as
ntm_auth, a Auth-Type is being set, as it's finding MSCHAP for me:
radiusd -X gives:
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
If I remark out:
# Auth-Type MS-CHAP {
# mschap
# }
from my server config, that stops it from being found, but then I
lose the password for ntlm_auth I think:
Found Auth-Type = ntlm_auth
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=rsteeves
[ntlm_auth] expand: --password=%{User-Password} - --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
Is that going to be a limitation of using MSCHAP/MSCHAP2?
Rick
Ivan Kalik
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: separating Users?
freerad...@corwyn.net wrote: so if ./users: DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == Infrastructure Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15, DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type:=ntlm_auth, Ldap-Group == VPN_Users it should work? No. I think even with the Auth-Type specified as ntm_auth, a Auth-Type is being set, as it's finding MSCHAP for me: Because the NAS is sending MS-CHAP requests. from my server config, that stops it from being found, but then I lose the password for ntlm_auth I think: Because you've forced the ntlm_auth module to be run. That module ONLY checks clear-text passwords, and there is NO clear-text password in the request. Change the line having ... Auth-Type := ntlm_auth, ... to ... Auth-Type = ntlm_auth, ... And read man users to see what the difference is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
