Trying to strip the Windows Domain name from a login
Hi All,
I am trying to strip the domain name from a userid in the most efficient
way possible, I am using version 2.1.1. I have tried using the hints file with
regular expressions.
ex.
DEFAULT User-Name =~ ([A-Za-z1-9]+)
User-Name := %{2}
In regexbuddy it is showing that it shows two matches, I specify the second
match and in the debug output it fails and does not show any username.
I then found another reference to strip the domain from the LDAP module as
shown below:
filter = (cn=%{mschap:User-Name:-%{User-Name}}
# filter = (cn=%{Stripped-User-Name:-%{User-Name}})
I am using MSChapV2 and it seems to pass the correct username to the LDAP
server it looks like there is some other place I need to strip the domain
besides the ldap lookup, that or the replies are using the stripped name and it
is failing that way as well. Either way it still is not working. If I
un-comment the stripped-user-name and use a supplicant that strips the domain
prior to sending it, it does work so Radius is working, just now with standard
windows supplicant on XP.
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.17.17.66port 1645, id=198,
length=157
User-Name = LPDOT1XTEST\\dotxuser
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = 00-1C-B1-5A-8E-05
Calling-Station-Id = 64-31-50-6E-DA-7A
EAP-Message = 0x0202001a014c50444f543158544553545c626c69747472656c6c
Message-Authenticator = 0x7041a9eaea23f1896725936e06e3f1dc
NAS-Port-Type = Ethernet
NAS-Port = 50005
NAS-IP-Address = 10.20.90.37
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = LPDOT1XTEST\dotxuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 2 length 26
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for LPDOT1XTEST\dotxuser
[ldap] expand: (cn=%{mschap:User-Name:-%{User-Name}} - (cn=dotxuser
[ldap] expand: ou=users,o=musd - ou=users,o=musd
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 172.17.17.1:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder2.b64
rlm_ldap: bind as cn=ldproxy,ou=somecx,o=cx/password! to 172.17.17.1:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=users,o=musd, with filter (cn=dotxuser
rlm_ldap: ldap_search() failed: Bad search filter: (cn=dotxuser
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - LPDOT1XTEST\dotxuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 198 to 172.17.17.66port 1645
Waking up in 4.9 seconds.
Cleaning up request 0 ID 198 with timestamp +20
Ready to process requests.
An yes I am pretty new to freeradius.
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE
attachment: Brett_Littrell.vcf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to strip the Windows Domain name from a login
Hi Alan,
Thanks for info. Next question is what?? HeHe. I started looking at
the files you suggested and I am confused.
First you mention looking into the realm information, did that, it is
looking like that may not be to hard to do, if I am using the FR server to
access the LDAP server then I just need to set a realm of ntdomain and
auth=LOCAL, correct? Then you go on to say strip the domain at the LDAP
lookup, well if I do it there wouldn't that fix the problem regardless of
changing the realm? You go on to explain that I should do the LDAP lookup in
the inner-tunnel config, I have no problem with this, it makes sense, the
problem I have is how do you specify the inner tunnel in the configuration?
Remember, I am new to FreeRadius, been using Cisco ACS for a few years now
so I know about Radius in general, just not how to configure FreeRadius and
docs are a bit hard to come by. If you can specify the files I should look at
to configure the inner tunnel authentication and where to specify stripping the
domain name pre-ldap authentication that would help a lot. I was not sure if I
should attempt stripping the domain in the realm portion or right before the
ldap auth.
Thanks again, I will continue and try to figure out where to do this until I
hear back.
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE
On Friday, January 21, 2011 at 11:56 PM, in message
4d3a8da0.7050...@deployingradius.com, Alan DeKok
al...@deployingradius.com wrote:
Brett Littrell wrote:
I am trying to strip the domain name from a userid in the most
efficient way possible, I am using version 2.1.1.
See the realms module, and the realm definition in raddb/proxy.conf.
I am using MSChapV2
Then stripping the realm isn't a good idea. The User-Name is used as
part of the MS-CHAPv2 calculations, so changing it will make the
authentication fail.
I then found another reference to strip the domain from the LDAP
module as shown below:
filter = (cn=%{mschap:User-Name:-%{User-Name}}
This is wrong. You're not closing the opening bracket:
filter = (cn=%{mschap:User-Name:-%{User-Name}})
and it seems to pass the correct username to
the LDAP server it looks like there is some other place I need to strip
the domain besides the ldap lookup, that or the replies are using the
stripped name and it is failing that way as well. Either way it still
is not working. If I un-comment the stripped-user-name and use a
supplicant that strips the domain prior to sending it, it does work so
Radius is working, just now with standard windows supplicant on XP.
If you're using EAP, you *really* don't want to strip the User-Name.
It will make EAP fail.
An yes I am pretty new to freeradius.
What you want is to change the *ldap* lookup so that it uses only the
name portion of the User-Name. *Don't* edit the User-Name.
And move the LDAP lookup to the inner-tunnel configuration. That's
what it's for. Don't do LDAP lookups in raddb/sites-available/default
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attachment: Brett_Littrell.vcf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on Virtual Servers and inner-tunnel
Hi All, Hope this is not to stupid of a question but I have been checking out the inner-tunnel virtual server under sites-enabled. I read up a little on virtual servers and it looks like the inner-tunnel virtual server is just a regular old virtual server yet in the comments is says it specifically handles inner tunnel requests. I went through the default config for the inner-tunnel and did not see any commands that were un-commented that seemed to specify that the server exclusively dealt with inner-tunnel requests. So my question is wether naming the server inner-tunnel causes it to exclusively handle inner-tunnel requests, in other word is inner-tunnel a hard coded name that has to be used for handling inner-tunnel requests? Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Hi All, You guys really explained it well, appreciate it. I really wanted to know to try and get an idea of how this works and figure out the best way to set this up and clarifying that really helped. And yes I did get Gary joking and I do not mind a little eldow in the ribs joking, just as long as he does not mind pay backs in other email..HeHe:) I do appreciate Alex popping is on my behalf as well, it is nice to see someone out there helping out the new guys. Anyway, I think I have enough info to do some damage, hopefully I won't spam the list with to many more questions:) FYI: You guys are great, and I think I speak for everyone new to freeradius that we appreciate your help. PS: What is up with Garys email? or is it my threaded view? Gary's email keeps popping up as a new email and not as a threaded response? Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Must have been a really old version of GW, I use GW here and it seems to thread fine but we are on the latest version. Thanks again.. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, January 26, 2011 at 8:48 AM, in message vrv518-hm1@chipmunk.wormnet.eu, Alexander Clouter a...@digriz.org.uk wrote: Brett Littrell blittr...@musd.org wrote: PS: What is up with Garys email? or is it my threaded view? Gary's email keeps popping up as a new email and not as a threaded response? I guess corporate policy is to use a broken email client as well as an SMTP server that adds a 'legally-holds-no-water' disclaimer. The last mail client I saw doing this was Novell Groupwise shudder/ Incase you did not know, if you look at the headers for the other emails here, you will see a 'References' line, that is what makes threading work...it's also the tell tell sign when folk hit 'Reply' rather than 'Compose' when they want to post a *new* thread to the mailing list. Now if you fix your email client for text/plain only... :) /email-nazi -- Alexander Clouter .sigmonster says: Serving coffee on aircraft causes turbulence. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius data encryption modes
Hey Gustav, WPA and AES is the encryption that occurs between the client and the Access point, not from the client thru the AP to the Radius server. The client establishes an encrypted connection to the AP using WPA/AES(or Tkip), the AP then decrypts that info and uses radius and it's own encryption methods to query the username, password to get authorization and access levels. So WPA/AES ends at the AP. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Thursday, January 27, 2011 at 11:54 PM, in message 20110128075412.49...@gmx.net, mc...@gmx.de wrote: Hi @all, I have installed a freeradius server succesfully. I can login with all my clients using WPA2 (AES-CCMP) PEAP with mschapv2. Last week I got a new notebook that don´t support the data ecryption AES-CCMP. The data encryption that I can specify (in WPA2 with PEAP/mschapv2) only is AES, AES MFP, TKIP and TKIP MFP. Here´s my question, can I configure my freeradius server to support logins with AES/AES MFP/TKIP/TKIP MFP? Thanks for help... Greetings Gustav -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on Radius logs
Hi All, Real quick and I am sure easy question here. I read through the unlang man page, really helped in getting a clue. One thing I was wondering though, is there a way to output text to the log based on a condition? What I mean is something like if x!=y then printf( x did not equal y). This would be for debugging and log review. Currently we use Cisco ACS, which with all it's limitations the one thing that is great about it is it's pass/fail logs. Our techs use them all the time to diagnose problems. If I could inject text strings into the logs when certain issues occur it would make it a lot easier to figure out scripts as well as make common issues easier for techs to troubleshoot. From what I can tell in the unlang man page it did not mention this, perhaps I missed it though. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Radius logs
Hi James, That looks perfect for the tech logs, thanks. The debugging side was a little different, I was thinking about inputting text strings in the middle of unlang scripts. Usually when I write say a C program I will pop in a lot of printf's with variables so I know what a variable is in a program, well use to anyway debuggers make that to easy now to waste time on it. For freeradius I was not sure if there was similar functionality. I am guessing there is not, I was kind of thinking it may be a stretch to add something like that in a config file. Thanks for the linelog module, that will really help a lot!!. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Tuesday, February 01, 2011 at 9:02 AM, in message 57DE4B8C2C2D9555B06A9046@valium, James J J Hooper jjj.hoo...@bristol.ac.uk wrote: --On Tuesday, February 01, 2011 08:41:54 -0800 Brett Littrell blittr...@musd.org wrote: Hi All, Real quick and I am sure easy question here. I read through the unlang man page, really helped in getting a clue. One thing I was wondering though, is there a way to output text to the log based on a condition? What I mean is something like if x!=y then printf( x did not equal y). This would be for debugging and log review. Currently we use Cisco ACS, which with all it's limitations the one thing that is great about it is it's pass/fail logs. Our techs use them all the time to diagnose problems. If I could inject text strings into the logs when certain issues occur it would make it a lot easier to figure out scripts as well as make common issues easier for techs to troubleshoot. From what I can tell in the unlang man page it did not mention this, perhaps I missed it though. Hi Brett, It sounds like the linelog module may do what you need, in conjunction with unlang for the conditionals: https://github.com/alandekok/freeradius-server/blob/v2.1.x/raddb/modules/linelog Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Radius logs
Thanks Alan, Did not think about calling the perl module, that should work very well... thanks Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Tuesday, February 01, 2011 at 10:15 AM, in message 20110201181525.ga9...@lboro.ac.uk, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, as James says...unlang with linelog module.. if you want to do more, then thats easy too - just use PERL module and use unlang with a call to a logging PERL module - the world is your oyster at that stage regarding what you can do - with your printf's etc :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory and authorize section
Hi Harry, So this is the way I understand it. The authenticate section is used to just verify that you are who you are, via certs, username/password, token etc. The authorize section is where you define the sources for all the information you want FR to respond to. So to just authenticate someone you would just need the authenticate section but if you wanted FreeRadius to assign a user to a specific vlan then you need to configure where that information is coming from which is defined in the authorize section. For example, and this is a guess because I have never tried it. You can have AD as the authenticator in the authenticate section then have local in the authorization section. The AD makes sure Harry is Harry, if there is a user name Harry in the Local user file with information on what vlan he belongs to then it will send that information to the switch/router or what have you. Usually you set the Authenticate and authorize to the same servers though so the authenticate server pushes down the info for authorization as well. Anyway, I hope that helps and I am not giving you bad info:) Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Tuesday, February 01, 2011 at 1:07 PM, in message 1296594437.13427.45.camel@localhost.localdomain, Harry Hoffman hhoff...@ip-solutions.net wrote: Right, I do understand the distinction which is why I asked the question. I didn't know if the tutorial just assumed everyone was authorized and then granted access as long as the userid/password matched AD or if there's something missing that should be addressed in authorize. Cheers, Harry On Tue, 2011-02-01 at 20:48 +, Alan Buxey wrote: Hi, I'm trying to find out what to use (if anything) in the authorize section when authenticating clients via MSCHAP-v2 and AD credentials. The how-to at deployingradius.com only speaks to the authentication section. If I only want to ensure that the username/password credentials are valid do I need to run through authorize or just go straight to authenticate? authorise - CAN i use the network authenticate - is my ID and password correct once you get that and understand the very clear difference, then you can decide if you want to deal with authorise - and how to deal with it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory and authorize section
Hey Brian, Very interesting, I would have thought Authenticate came first then Authorize since you need to authenticate in order to be authorized. If that is the case and say you pull the vlan ids from ldap, or some other directory, how would Freeradius know what those values are prior to knowing who you are? Or are you saying that the way the program loads the config the authorize section simply gets read first? Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 02, 2011 at 12:05 AM, in message 20110202080557.ga2...@talktalkplc.com, Brian Candler b.cand...@pobox.com wrote: I'd say that's not exactly true, or is not very clear anyway. (1) freeradius always runs the authorize section first, then then authenticate section (2) the authorize section is where you do any sort of database lookups needed, both to determine the reply attributes to send (in case the user does authenticate successfully), and at the same time to find any information needed to perform user authentication, such as the expected password (Cleartext-Password in the control list) (3) the authenticate section normally uses that extra info to perform the authentication. If it fails, the reply attributes are stripped out and a reject is sent. Using ntlm_auth is a special case, in that it can authenticate without knowing the password: it delegates the whole authentication to a different database. That's fine, but if you don't have anything in your authorize section then you'll just be sending back an empty Access-Accept without any reply attributes. In some applications this may be sufficient. This sort of delegation is rather like proxying, and indeed, you can run IAS on your AD box and just proxy to it. IAS has a limitation of 50 RADIUS client IPs (unless you have Windows Server Enterprise edition), but fortunately each freeradius server you put in front of it only counts as one client :-) Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory and authorize section
Hi Brian, Thanks for explaining that, guess that makes sense for performance, load all the info right away and just wait for authentication to complete before sending from memory and not doing another query. Sorry, did not mean to derail this thread but I a appreciate the insight. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 02, 2011 at 9:01 AM, in message 20110202170140.ga12...@talktalkplc.com, Brian Candler b.cand...@pobox.com wrote: On Wed, Feb 02, 2011 at 07:23:39AM -0800, Brett Littrell wrote: Very interesting, I would have thought Authenticate came first then Authorize since you need to authenticate in order to be authorized. The RADIUS protocol kind of fuzzes the two concepts: an Accept-Request is both a request for authentication and authorization. An Access-Reject could mean either that you weren't authenticated, or that you're not authorized for the service you wanted. FreeRADIUS runs boths sections of its config before sending the reply, because generally authentication needs some data to authenticate, and that data normally comes from the same place as the authorization data. If that is the case and say you pull the vlan ids from ldap, or some other directory, how would Freeradius know what those values are prior to knowing who you are? It knows who you *claim* to be (User-Name), so can use that to look up the reply attributes. It doesn't know you actually *are* that person yet, but it won't send back an Access-Accept until it does. Or are you saying that the way the program loads the config the authorize section simply gets read first? The authorize section gets executed first; I don't think it makes any difference what order you put them in the config file. Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
I think it depends on the OS, if a OS is trusting and accepts everything up the stack from Layer 2 if the MAC address matches it could start to get confused and cause all sorts of issues. If the device keeps some kind of state table for connections and rejects all others there may not be to much of an issue. Naturally in the switched environment it would not work at all. As far a Mac auth, we do that here as well, basically for printers and such and as you stated you just enter the MAC address for the password then push out the tunnel Group ID, tunnelmediumtype and tunnel-type. Of course this is on a switched network but for our Wireless it works remarkably similar yet again we use username/password authentication on that. We do not have to worry to much about session hijacking or MAC spoofing on the wireless side because we use WPA2 with AES and dot1x on the auth side. One thing you may want to do is have a default unprotected vlan that is the default network, have it go directly web page with instructions on connecting with a secure connection. If you care anything about your users/customers I would say at least offer them some kind of protection, it is just to easy to sniff unprotected wireless networks. -- Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 02, 2011 at 12:00 PM, in message 8860_1296676852_4D49B7F4_8860_589_1_D9B37353831173459FDAA836D3B43499AF0FA683@WA PMBXV0.waddell.com, Gary Gatten ggat...@waddell.com wrote: On shared medium, I don't *think* dupe macs will cause much problem, unless maybe a congestion algorithm tweaks traffic to/from that mac. I'm not an expert in that area, just speaking from experience. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x on Active Directory: no errors in debug but auth fails
Hi Not sure if your just having issues with the OID or something else, but I found the thread really helped to fix cert issues I had. http://lists.cistron.nl/pipermail/freeradius-users/2006-October/msg00515.html . I used the MS cert server as described in this listing as well as used our Novell Cert server and both worked for issuing a Cert that MS clients will accept. I am sure OpenSSL can do it to just never looked far enough into it to see the exact syntax. Hope this helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Monday, February 07, 2011 at 7:27 AM, in message 00a301cbc6db$90153ec0$b03fbc40$@it, Domenico Viggiani dviggi...@tiscali.it wrote: if you do, then its your loss and you'll be limited for the future of your infrastructure. use freeRADIUS - after all, at least it will give you information and debug detailed informationwhen NPS goes wrong...well, good luck. I understand very well: I used older M$'IAS and it offered NO debug info at all! this is probably a trivial issue - how did you create your CA? how did you sign the radius CRT/PKCS12 file? I used the self-generated certificates, at first startup of Freeradius service (installed from Red Hat official RPM package, not compiled). What else can I do? A client PC with an OS different from XP? -- DV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x on Active Directory: no errors in debug but auth fails
I do not recall FR 2.11 default working with Windows so I followed the instructions from the link I posted and it started to work after that; of course I am using a LDAP back end not AD directly. I can and do authenticate Windows XP SP3 no problem against FR, but as I said it is with an LDAP back end, maybe an AD backend is a bit different. Good luck on it either way, you will eventually find your way there I am sure:) Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Tuesday, February 08, 2011 at 3:16 AM, in message 00ad01cbc781$94f25850$bed708f0$@it, Domenico Viggiani dviggi...@tiscali.it wrote: Brett Littrell wrote: Not sure if your just having issues with the OID or something else, but I found the thread really helped to fix cert issues I had. http://lists.cistron.nl/pipermail/freeradius-users/2006-October/msg00515.htm l I used the MS cert server as described in this listing as well as used our Novell Cert server and both worked for issuing a Cert that MS clients will accept. I am sure OpenSSL can do it to just never looked far enough into it to see the exact syntax Thanks but I think that recent versions of Freeradius contains a certs generation script that provide test certificates with all OIDs needed. Or am I wrong? I'm currently still unable to authenticate a XP SP3 client to FR by Active Directory. Regards -- DV - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating SSH login on a Cisco IOS switch to AD
Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 7:24 AM, in message 604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07, Schaatsbergen, Chris chris.schaatsber...@aleo-solar.de wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Authenticating SSH login on a Cisco IOS switch to AD
Yep, simple auth should be no problem, I was referring to pushing the authorization out to the switch. So for us, we login and are automatically at the enable level we defined in TACACS. When I was researching this, I believe it said you could get all the same stuff with Radius, the only real difference is that TACACS encrypts more of the authentication requests then Radius and does better accounting. Of course it only really works on Cisco which is a major draw back. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 8:11 AM, in message 9938_1297267879_4d52bca7_9938_1_2_d9b37353831173459fdaa836d3b43499af0fa...@wadpmbxv0.waddell.com, Gary Gatten ggat...@waddell.com wrote: Authentication with ntlm-auth and *require-membership-of* works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is *authorized* locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our *dev* FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I*ll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else* G From:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 7:24 AM, in message 604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07, Schaatsbergen, Chris chris.schaatsber...@aleo-solar.de wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AW: Authenticating SSH login on a Cisco IOS switch to AD
Hey Oli, I think it is always a good idea to keep the switch management on a separate management vlan, regardless of wether you encrypt the info or not. Between Cisco and Radius servers it does encrypt the password but I don't think it does much else. Gary may be right that it just hashes the password to be compared. Granted, someone may be able to see what level you login as from a Radius request, the question is wether it matters? If they do not have the password they will have to run some sort of crack on the switch that should throw up warning flags in your Radius logs and hopefully lock your AD account with a intruder lockout. Having a separate vlan for switch management is a lot like a hidden SSID, it is by no means the most secure way to protect a network but it keeps the rif-raf from trying to hack your network. People who know how to flood the arp tables can bypass vlans if need be, just as someone can get the SSID from a hidden Wireless network, that does not mean you have to make it easier for them:) Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 09, 2011 at 9:20 AM, in message 9935_1297272057_4d52ccf9_9935_1355_2_d9b37353831173459fdaa836d3b43499af0fa...@wadpmbxv0.waddell.com, Gary Gatten ggat...@waddell.com wrote: I *think* you are correct. Between FR and AD it may just be a one-way-hash of the pw, but not sure. FR can't support anything the NAS doesn't. Well, it could but what good would it do? I remember reading about a new / different flavor of RADIUS that includes encryption, but I forget what it's called. And again, no Cisco stuff I'm using supports it so I didn't really put much effort into it. We don't necessarily have ssh everywhere so obviously unencrypted passwords are a possibility. I can think of severalwhat's the opposite of elegant F'd up ways to encrypt this - but not pretty. Network isolation (VLAN's) with strict ACL's would at least be a good start - ie:, an authentication vlan. If the data can't be accessed on the wire, then it doesn't really matter if it's encrypted - right? Yeah, I know - better encrypted and some compliance issues may pop up as a result on unencrypted stuff flying around. Interesting -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Oliver Elliott Sent: Wednesday, February 09, 2011 11:05 AM To: freeradius-users@lists.freeradius.org Subject: Re: AW: Authenticating SSH login on a Cisco IOS switch to AD I had a look into this and as far as I could tell, the conversation between the switch and the radius server was not encrypted unless you use TACACS. Does anyone know if this conversation can be encrypted while using Freeradius, as otherwise the domain login details are presumably being sent over the network in clear text? Oli On 09/02/11 16:30, Schaatsbergen, Chris wrote: Greetings Gary, Well, this does sound like what I would like to achieve, we only have 3 users to administer the Cisco switches, though all domain admins (7) could do it. We currently have one admin user account and all domain admins know the password. To go to priv level (enable) we will continue to use one password, we only would like the SSH login to be authenticated against AD. I am in no hurry (going home now anyway) but would love to hear your solution a little more detailed. Chris *Von:*freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] *Im Auftrag von *Gary Gatten *Gesendet:* Mittwoch, 9. Februar 2011 17:11 *An:* 'FreeRadius users mailing list' *Betreff:* RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and require-membership-of works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is authorized locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our dev FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else... G *From:*freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] *On Behalf Of *Brett Littrell *Sent:* Wednesday, February 09, 2011 9:57 AM *To:* FreeRadius users mailing list *Subject:* Re
Re: AW: Authenticating SSH login on a Cisco IOS switch to AD
Ya, your right, I meant the CAM table. flooding the CAM table with MAC addresses caused all the traffic to broadcast to all ports. My bad, but it is/was a fundamental flaw in the way switches work, I know Cisco had a fix out for it but it did not work with dot1x and DVlans. The moral of the story is that vlans are not the end security stop-gap, they are just one layer to keep the casual hacker at bay, just as the hidden SSID does. Thanks for the correction Brian. It sounds like you have pretty broken switches then. VLANs are always separate, floods or no floods. Also, true switches don't care about ARP at all (as opposed to layer 3 switches). Regards, Brian. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python and the Tunnel-Private-Group-Id attribute
Hi Bob, I do have this running successfully with eDir. I am guessing you are using the eDir Radius schema extensions? Also, if you are using Cisco equipment, you have to send the vlan name, not the ID. Not sure if other switches require the ID. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Thursday, February 10, 2011 at 1:24 AM, in message AANLkTi=wzuimz+65y3-qzvzdpcvdwp8f4fhht-b+-...@mail.gmail.com, Bob Brandt b...@brandt.ie wrote: Not sure if there isn't another forum or mailing list for rlm_python specifically, but... I have been using freeradius for a while now with great results, thanks! We are using a very simple configuration to authenticate users against LDAP (eDirectory) and that part works great! I am trying to add a component that will return the necessary attributes to allow for dynamic VLANs I was able to get this working using the /etc/raddb/users file, however do to the size of the organization, this is very messy. I have started using python to extract this information from another database and return the information. All my testing seems to indicate it should work, but it is not. I believe the problem is in how rlm_python returns the Tunnel-Private-Group-Id attribute. My users file (which works) looks like this: # Generic LDAP return attributes DEFAULT Auth-Type == LDAP Class = Staff, Service-Type = Login, Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-ID = 99, Fall-Through = Yes brandtb Reply-Message += You are a member of the IT Group, Class := CACS:0/ebf42/ac8c8e6/administrator, Tunnel-Private-Group-ID := 150, Alcatel-Lucent-Asa-Access = all, Fall-Through = No Below are the two snipets of the debugs. The first is from the old(working) system which uses the users file and the second is from the new system using the rlm_python module: Sending Access-Challenge of id 172 to 10.200.113.99 port 18699 Class := 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72 Service-Type = Login-User Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 := 150 Reply-Message += You are a member of the IT Group EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xc146d1a4c144c80f46bec9bc87d3208b Finished request 0. - Sending Access-Challenge of id 130 to 10.200.113.99 port 18673 Reply-Message = You are a member of the IT Group Tunnel-Type:0 = VLAN Class = 0x4f5057537461 Class = 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72 Tunnel-Medium-Type:0 = IEEE-802 Service-Type = Login-User Tunnel-Private-Group-Id:0 = 150 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x8cd4aac48cd6b3a6430ea766ccfa9b91 Finished request 0. The debug output looks for the most part identical! Now, initially when using the users file, I had the same problem I am having now, where the wireless access point was getting the attributes but was not putting me in the correct VLAN. The problem turned out that I was passing a string to the Tunnel-Private-Group-Id attribute instead of an integer. Once I removed the quotes from the VLAN ID everything was working perfectly. Thinking that the problem was that within Python I was storing the Tunnel-Private-Group-Id attribute as a string I changed it to an integer, however I got immediately got the error: return tuple must be (str,str) I don't know who to get around this and I have not been able to find too many examples of how to use the rlm_python module. Any help would be greatly appreciated. Thanks Bob Brandt -- What's the point of having a rapier wit if I can't use it to stab people? - Jeph Jacques - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python and the Tunnel-Private-Group-Id attribute
Sorry, Reading a little deeper into the email, I do not have it the way you set it up. I use eDir for all the DVlan attributes and have Radius query when the user logs in. Most of the assignments are done via Radius profiles in eDir. The Cisco thing I know is the case however, was pulling my hair out using the ID before and found you had to use the name. Hope you get the perl side to work. Thanks Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Thursday, February 10, 2011 at 12:47 PM, in message 4d53de6b02690002d...@internetemail.musd.org, Brett Littrell blittr...@musd.org wrote: Hi Bob, I do have this running successfully with eDir. I am guessing you are using the eDir Radius schema extensions? Also, if you are using Cisco equipment, you have to send the vlan name, not the ID. Not sure if other switches require the ID. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Thursday, February 10, 2011 at 1:24 AM, in message AANLkTi=wzuimz+65y3-qzvzdpcvdwp8f4fhht-b+-...@mail.gmail.com, Bob Brandt b...@brandt.ie wrote: Not sure if there isn't another forum or mailing list for rlm_python specifically, but... I have been using freeradius for a while now with great results, thanks! We are using a very simple configuration to authenticate users against LDAP (eDirectory) and that part works great! I am trying to add a component that will return the necessary attributes to allow for dynamic VLANs I was able to get this working using the /etc/raddb/users file, however do to the size of the organization, this is very messy. I have started using python to extract this information from another database and return the information. All my testing seems to indicate it should work, but it is not. I believe the problem is in how rlm_python returns the Tunnel-Private-Group-Id attribute. My users file (which works) looks like this: # Generic LDAP return attributes DEFAULT Auth-Type == LDAP Class = Staff, Service-Type = Login, Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-ID = 99, Fall-Through = Yes brandtb Reply-Message += You are a member of the IT Group, Class := CACS:0/ebf42/ac8c8e6/administrator, Tunnel-Private-Group-ID := 150, Alcatel-Lucent-Asa-Access = all, Fall-Through = No Below are the two snipets of the debugs. The first is from the old(working) system which uses the users file and the second is from the new system using the rlm_python module: Sending Access-Challenge of id 172 to 10.200.113.99 port 18699 Class := 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72 Service-Type = Login-User Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 := 150 Reply-Message += You are a member of the IT Group EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xc146d1a4c144c80f46bec9bc87d3208b Finished request 0. - Sending Access-Challenge of id 130 to 10.200.113.99 port 18673 Reply-Message = You are a member of the IT Group Tunnel-Type:0 = VLAN Class = 0x4f5057537461 Class = 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72 Tunnel-Medium-Type:0 = IEEE-802 Service-Type = Login-User Tunnel-Private-Group-Id:0 = 150 EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x8cd4aac48cd6b3a6430ea766ccfa9b91 Finished request 0. The debug output looks for the most part identical! Now, initially when using the users file, I had the same problem I am having now, where the wireless access point was getting the attributes but was not putting me in the correct VLAN. The problem turned out that I was passing a string to the Tunnel-Private-Group-Id attribute instead of an integer. Once I removed the quotes from the VLAN ID everything was working perfectly. Thinking that the problem was that within Python I was storing the Tunnel-Private-Group-Id attribute as a string I changed it to an integer, however I got immediately got the error: return tuple must be (str,str) I don't know who to get around this and I have not been able to find too many examples of how to use the rlm_python module. Any help would be greatly appreciated. Thanks Bob Brandt -- What's the point of having a rapier wit if I can't use it to stab people? - Jeph Jacques - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius2.1.3 + Fedora9 + PEAP + AD = problem
Pretty new to FR as well but from what it looks like to me is your using Workstation login not user login. The portion [suffix] No '@' in User-Name = host/W400210.interoute.com, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 198 length 31 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP looks like your supplicant is sending workstation logins and your LDAP server is rejecting them. I don't know though, I am not a big log reader, I skim over them to find the error, I really need to get into them more:) Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Wednesday, February 16, 2011 at 1:38 AM, in message 1297849120978-3387353.p...@n5.nabble.com, lucky79 lukas.hofric...@interoute.com wrote: Hi Alan, Thanks for quick reply I have read the log several times however nothing points me to the right direction...thats why I posted a question here... when I use usern...@domain.com I get access-reject as ntlm authentication fails so from this point its working ok I guess. Also I dont think its a certificate problem as I've got same results with linux / windows 7 clients. From the debug I see ntlm authentication went OK then EAP session does not finish, but why this is happening? Do you think I am really facing the certificate compatibility problem? Even its working fine with freeradius 1.1.7? I've tried to create a new one but same results... Or have I missed anything else? Sorry FR 2.x.x is still new to me Thanks Lukas -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius2-1-3-Fedora9-PEAP-AD-problem-tp2780544p3387353.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hash username or mac address to assign user to different vlan
I agree breaking the network up into separate VLANs then routing between
them would help with broadcasting but I do not agree that hashing values and
then using those hashing values as we randomizing agents to distribute vlans.
There has to be a more elegant way to do this, I believe there is.
First off by randomizing what network a host is going to be on is going to
be extremely confusing when you try and troubleshoot other issues, for instance
a virus outbreak, now you have to figure out who is on what subnet and who is
sending what etc.. I can think of a lot of other issues that would cause
headaches, suffice to say it is not a good idea.
The better way to do this is to break people up by some logical means, such
as Accounting, testing, personnel etc. Then create groups and assign group ids
based on the users in those groups. This gives the benefit of segmenting and
securing like minded traffic as well, maybe accounting can only talk to
accounting, personnel can only talk to these servers, or those servers etc. Of
course you would have to route to other subnets if you want them to talk but
now you have control to say only this group of people can talk to that group of
people and not just open it up for everyone.
Even if you assign users by Group1, Group2, Group3 and you have a virus
outbreak now you can at least look at it and say right away all Group1 subnet
is crazy and have a list of all the stations/users in that group.
Anyway, that is my 2 cents on the whole deal.
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE
On Thursday, February 17, 2011 at 11:26 AM, in message
fc9038-7cg@chipmunk.wormnet.eu, Alexander Clouter
a...@digriz.org.uk wrote:
schilling schilling2...@gmail.com wrote:
I get dynamic VLAN assignment working in post-auth section with
help/hints from a lot of list members. Now I want to do one more
steps. I would like to hash the username or mac-address to distribute
users to different VLANs. The idea is to use freeradius to spread the
load on different smaller subnets to reduce the broadcast in bigger
VLANs.
You are however not reducing the broadcast domain, you might be
segregating the noise though. If you have large L2 broadcast domains,
splitting people up into different VLAN's is not going to in effect
solve the problem.
For background noise, you can actually reduce chatter by asking Windows
clients to disable NetBEUI via DHCP and configure switches/wifi to not
forward client-client traffic where appropriate. For wireless networks
you can also kill a lot of multicast traffic (5353/udp is a good example
I would say).
Another possible work around is that VLAN 'facstaff' at site A is not
the same broadcast domain at site B.
Better still, L3 is the way to go. We have and it solves a lot of
problems, although there is upfront migration pains.
For example I want to do the following
if ( %{User-Name} !~ /@/ ) {
if ( %{User-Name}%2 == 0 ) {
update reply {
Service-Type = Framed-User
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = facstaff0
}
elsif ( %{User-Name}%2 == 1 ) {
update reply {
Service-Type = Framed-User
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = facstaff1
}
}
}
Will I be able to do this in the post-auth with unlang?
You probably would get better millege calling on 'md5' xlat, I think
the following sort of thing will work:
authorise {
update reply {
Service-Type := Framed-User
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
}
# kludge to fake substr()
if (%{md5:%{User-Name}} =~ /^(.)/) {
if (%{1} =~ /^[0-7]/) {
update reply {
Tunnel-Private-Group-Id := facstaff0
}
} else {
update reply {
Tunnel-Private-Group-Id := facstaff1
}
}
}
}
I would recommend L3-ising your network though if possible and as the
rubberband-aid use DHCP/ACL's to keep broadcast/multicast traffic noise
to a minimum.
Cheers
--
Alexander Clouter
.sigmonster says: RAM wasn't built in a day.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trying to remove a suffix
seconds. Cleaning up request 0 ID 239 with timestamp +10 Ready to process requests. Brett Littrell Network Manager Milpitas Unified School District blittr...@musd.org Ph# (408)635-2600 X6086 Fax# (408)635-2632 CISSP, MCNE, CCVP, CCSP, Project+,MCITP/EA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Trying to remove a suffix
Hi All,
NM, you know I have been working on this for the last two days, I post here
and no more the 30 minutes later I have a breakthrough.. Guess that is how it
always works.
Found a good ref on the FreeRadius site on the hints and started messing
with that and came up with
DEFAULT User-Name =~ ^([^.]+), Strip-User-Name = yes
User-Name := %{1}
Thanks anyway!!..
Brett Littrell
Network Manager
Milpitas Unified School District
blittr...@musd.org
Ph# (408)635-2600 X6086
Fax# (408)635-2632
CISSP, MCNE, CCVP, CCSP, Project+,MCITP/EA
On Friday, September 09, 2011 at 9:22 AM, in message
4e69dac902690003f...@internetemail.musd.org, Brett Littrell
blittr...@musd.org wrote:
Hi All,
I hate to post this here, I am sure there is a fairly simple thing to do
this but I have been looking and can't seem to find how to do it.
So we have users that typically login with a relative context. So there is
a base context set to say ou=HS1.o=students, then they type in their name with
a relative context, so it may be jsmith.y2012, with our network it sends to the
server jsmith.y2012.hs1.students and logs in just fine. The problem we are
having is that freeradius is getting the jsmith.y2012 as the username and
trying to send that to ldap that first does not understand . and second the
ldap side is a flattened tree to speed up lookups so there is no sub-context.
So the solution would seem to be to strip everything after the '.' so
jsmith.y2012 becomes just jsmith. So I have been approaching it from this
side and have tried using hints and attr_rewrite to do it. I am sure I missed
something in each of them because it seems either should work, especially after
reading a lot of the archived threads. So this is what I have done so far:
created a relative_username module and placed it in /etc/raddb/modules
directory. Contents are :
attr_rewrite relative_username{
attribute = User-Name
searchin = packet
searchfor = .y2012
replacewith =
ignore_case = yes
max_matches = 1
append = no
}
This is just for testing, I originally tried a regex expression of
searchfor =~ ^\w* and searchfor = ^\w* but the unlang equal for regex
poped with an error and the regual = I do not think recognized regex so I
assumed that meant the regex was not supported in this module. Anyway, I have
been testing the rewrite with a literal for a specific user to just see if it
will work and does not seem to work.
From here I call the relative_username in the
/etc/raddb/sites_enabled/Radsite file in the Authorize section
authorize {
relative_username
With this everything loads find and running radiusd -X I see that it is
still trying to send the info to the LDAP server as jsmith.y2012 and of course
it is failing.
So on the hints side I was a little unsure of how it worked so I tried :
DEFAULT User-Name =~ ^\w+
User-Name := %{1}
That also did not seem to have an affect.
So I am sure I am either barking up the wrong tree with both of these
approaches or I am missing something in here. I should also mention, if I do
not use the relative context the users authenticates just fine all is good in
the world, it is just that darn trailing .y2012 that is the issue.
Sorry ahead of time if this is really a stupid question, I am still learning
freeradius (which I think is awesome)...
So the debug log is below but it basically shows a object not found.
rad_recv: Access-Request packet from host 10.2.2.100 port 36360, id=239,
length=65
User-Name = jsmith.y2012
User-Password = 123454
NAS-IP-Address = 10.2.2.100
NAS-Port = 1813
+- entering group authorize {...}
[preprocess]expand: %{User-Name} - jsmith.y2012
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = jsmith.y2012, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for jsmith.y2012
[ldap] expand: (cn=%{mschap:User-Name:-%{User-Name}}) - (cn=jsmith.y2012)
[ldap] expand: o=musd - o=musd
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.###.###.###:636, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /etc/raddb/certs/rootder2.b64
rlm_ldap: bind as cn=###,ou=Radius,o=servers/# to 10.###.###.###:636
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=musd, with filter (cn=jsmith.y2012)
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration
Re: Trying to remove a suffix
Hi All,
Guess I spoke to soon. I was using radtest and that worked great when I
went to an actual workstation it was a different story. I am getting the old
[eap] Identity does not match User-Name, setting from EAP Identity. From
reading through the archives it looks like this has been an issue in the past.
So far it is mostly solved with the mschap call which I do not think will work
with the .y2012 issue.
I am still researching this part but if anyone has an ideas of where I may
find a solution or an idea to fix it I would appreciate the short cut:)
Thanks
Brett Littrell
Network Manager
Milpitas Unified School District
blittr...@musd.org
Ph# (408)635-2600 X6086
Fax# (408)635-2632
CISSP, MCNE, CCVP, CCSP, Project+,MCITP/EA
On Friday, September 09, 2011 at 10:23 AM, in message
4e69e93902690003f...@internetemail.musd.org, Brett Littrell
blittr...@musd.org wrote:
Hi All,
NM, you know I have been working on this for the last two days, I post here
and no more the 30 minutes later I have a breakthrough.. Guess that is how it
always works.
Found a good ref on the FreeRadius site on the hints and started messing
with that and came up with
DEFAULT User-Name =~ ^([^.]+), Strip-User-Name = yes
User-Name := %{1}
Thanks anyway!!..
Brett Littrell
Network Manager
Milpitas Unified School District
blittr...@musd.org
Ph# (408)635-2600 X6086
Fax# (408)635-2632
CISSP, MCNE, CCVP, CCSP, Project+,MCITP/EA
On Friday, September 09, 2011 at 9:22 AM, in message
4e69dac902690003f...@internetemail.musd.org, Brett Littrell
blittr...@musd.org wrote:
Hi All,
I hate to post this here, I am sure there is a fairly simple thing to do
this but I have been looking and can't seem to find how to do it.
So we have users that typically login with a relative context. So there is
a base context set to say ou=HS1.o=students, then they type in their name with
a relative context, so it may be jsmith.y2012, with our network it sends to the
server jsmith.y2012.hs1.students and logs in just fine. The problem we are
having is that freeradius is getting the jsmith.y2012 as the username and
trying to send that to ldap that first does not understand . and second the
ldap side is a flattened tree to speed up lookups so there is no sub-context.
So the solution would seem to be to strip everything after the '.' so
jsmith.y2012 becomes just jsmith. So I have been approaching it from this
side and have tried using hints and attr_rewrite to do it. I am sure I missed
something in each of them because it seems either should work, especially after
reading a lot of the archived threads. So this is what I have done so far:
created a relative_username module and placed it in /etc/raddb/modules
directory. Contents are :
attr_rewrite relative_username{
attribute = User-Name
searchin = packet
searchfor = .y2012
replacewith =
ignore_case = yes
max_matches = 1
append = no
}
This is just for testing, I originally tried a regex expression of
searchfor =~ ^\w* and searchfor = ^\w* but the unlang equal for regex
poped with an error and the regual = I do not think recognized regex so I
assumed that meant the regex was not supported in this module. Anyway, I have
been testing the rewrite with a literal for a specific user to just see if it
will work and does not seem to work.
From here I call the relative_username in the
/etc/raddb/sites_enabled/Radsite file in the Authorize section
authorize {
relative_username
With this everything loads find and running radiusd -X I see that it is
still trying to send the info to the LDAP server as jsmith.y2012 and of course
it is failing.
So on the hints side I was a little unsure of how it worked so I tried :
DEFAULT User-Name =~ ^\w+
User-Name := %{1}
That also did not seem to have an affect.
So I am sure I am either barking up the wrong tree with both of these
approaches or I am missing something in here. I should also mention, if I do
not use the relative context the users authenticates just fine all is good in
the world, it is just that darn trailing .y2012 that is the issue.
Sorry ahead of time if this is really a stupid question, I am still learning
freeradius (which I think is awesome)...
So the debug log is below but it basically shows a object not found.
rad_recv: Access-Request packet from host 10.2.2.100 port 36360, id=239,
length=65
User-Name = jsmith.y2012
User-Password = 123454
NAS-IP-Address = 10.2.2.100
NAS-Port = 1813
+- entering group authorize {...}
[preprocess]expand: %{User-Name} - jsmith.y2012
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = jsmith.y2012, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap
