And many requests later you ask about it:
++? if (control:Tmp-String-0 == ldap-student)
(Attribute control:Tmp-String-0 was not found)
.. and it's not there. Of course it's not, since it wasn't
set during processing of that Access-Request but much earlier
in the exchange.
Obvious
Update a server-side attribute when you use the module:
update control {
Tmp-String-0 = ldap-student
}
then in post-auth:
if (control:Tm-String-0 == ldap-student) {
...
}
I'm really grateful for all your help but it still doesn't work and after hours
And I get:
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
++? if (control:Tmp-String-0 == ldap-student)
(Attribute control:Tmp-String-0 was not found)
Sending Access-Accept of id 129 to 10.127.240.217 port 1645
Towards the beginning of the debug output is:
Can you post the whole debug, not just snipetts. Are these
from the same or from different requests in the exchange?
Perhaps you need use_tunneled_reply rather than this.
Here's the complete debug (excluding the server start-up messages). There's
rather a lot of it which is why I tried to
Here's the complete debug (excluding the server start-up messages). There's
rather a lot of it which is why I tried to post the bits relevant to what I'm
trying (rather unsuccessfully :-) ) to understand.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36,
length=148
..
Now I'm trying to return different reply attributes
depending on Active Directory group membership and restrict
which groups can authenticate. Ldap lookups against the
active directory root fail with operation error.
Reconfiguring Active Directory is not a viable option so I
have to
Leighton Man wrote:
I've upgraded to 2.1.3 but, sorry, I'm really struggling with the concepts.
I can't do if Ldap-Group because there is no container in Active Directory
above staff and student to query.
What I think I need is:
if ladp_staff returns ok {
update reply{
see man unlang. The syntax and examples are documented.
Read it many times. The problem is not the documentation, which is great, but
my understanding which isn't!
I'm working on it but finding it heavy going.
...
ldap_staff
if (ok) {
update reply {
...
Leighton Man wrote:
Logic now working correctly - Many thanks
Final problem is to return reply attributes in the access accept message. As
a test I added Reply-Message := User is staff in the update reply section
and the server duly added it to the next access challenge message. I assume I
Hi,
I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
authenticate against Active Directory using ntlm-auth.
All working OK.
Now I'm trying to return different reply
Am 06.03.2009 um 12:20 schrieb Leighton Man:
Hi,
I'm new to freeradius (3 weeks experience) and mailing lists
(second attempt) so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured
to authenticate against Active Directory using ntlm-auth.
All working
I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
authenticate against Active Directory using ntlm-auth.
All working OK.
Now I'm trying to return different reply
Leighton Man wrote:
Many thanks for this. I'm using 1.1.7 because it's available as a pre-built
package on solaris for both sparc and x86 architectures. The idea is to get
freeradius configured and working as fast as possible so it can be demo'd to
management (I'm trying to retire Cisco
Huh? It compiles on 3-4 different Solaris boxes that I have access to.
Did you run make from the TOP directory, or by cd'ing to src/lib?
Alan DeKok.
Tried gmake from the top directory and gcc -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS
Is there any way to do what I want without upgrading?
You can try users file:
DEFAULT Ldap-Group == staff
some reply
DEFAULT Ldap-Group == student
some other reply
DEFAULT Auth-Type := Reject
That should be at the end of the users file (ie. anything
Leighton Man wrote:
Tried gmake from the top directory and gcc -g -O2 -D_REENTRANT
-D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS
-I/export/home/cmsxljm/freeradius-server-2.1.3/src -c dict.c -fPIC -DPIC -o
.libs/dict.o (copy and paste from the gmake output) from the
Hmm... would it be possible to have to give *more* output? i.e. start from a
fresh directory:
$ tar -zxf freeradius-server-2.1.3.tar.gz $ cd freeradius-server 2.1.3 $
./configure $ gmake
And show the errors (not the dozens of lines saying building foo, or the
last dozen lines saying
Ryan,
I am now actually in the process of implementing your method.
auth via ntlm
retrevie attributes via ldap (group, dialup_access, etc)
Can you suggest some reading or point me in the right direction.
ATM I have ntlm and ldap configured and ntlm (hoping it might just
work :P and for
Were you ever able to solve the issue of multipe OU's? I have about 100
OU's that have users under them, running without a specified OU doesn't
work, and obviously once I drop into an OU it hits the users that live
there, and no others.
Ryan
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
On Tue, 2007-06-05 at 09:22 -0500, Ryan Kramer wrote:
Were you ever able to solve the issue of multipe OU's? I have about
100 OU's that have users under them, running without a specified OU
Why can't you specify a top-level OU and use subtree searches?
doesn't work, and obviously once I
Sure, I have no probs doing it via the wiki. When I get a chance I
will create. For me the biggest help was finding SecureW2, truly an
excellent little app.
On 5/2/07, Ryan Kramer [EMAIL PROTECTED] wrote:
You can take care of #1 by still doing LDAP to AD for the groups, but using
ntlm for the
Jacob,
Could you please send the steps you followed to integrate ad with FR?.
I am completely lost and confused with the information available on
this .
thanks,
SB
On 5/1/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Thanks for the Tip ryan but I have been down that road and 2 reasons stopped
me:
You can take care of #1 by still doing LDAP to AD for the groups, but using
ntlm for the password authentication. This seems counterproductive, unless
you are using a backside encryption where you need to do it that way, which
is what I ended up having to do.
On 4/30/07, Jacob Jarick [EMAIL
depending on the wifi auth method, you may want to also investigate a
NTLM_AUTH method instead of straight ldap. This requires the freeradius
machine to be a member of the domain, but once you do that it works great.
On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:
OK tried with 1.1.4 and
Thanks for the Tip ryan but I have been down that road and 2 reasons stopped me:
1 - no way of retrieving ldap groups
2 - Been requested not to have samba on the machine.
ntlm_auth was very straight forward for me because it supports all the
encryption methods.
On 5/1/07, Ryan Kramer [EMAIL
Thanks for the very detailed instructions.
I will attempt this shortly (bought rad ad servers home for weekend study).
Quite possible the biggest learning curve for me is the ldap fields
but I am finally starting to get familar with them.
Cheers again, will post back once Ive run the radtest.
radiusd.conf: http://pastebin.ca/464133
radius -X ouput: http://pastebin.ca/464138
Tried with 1.1.6 and fails with this error:
rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed
rlm_ldap: Reading dictionary mappings from
OK tried with 1.1.4 and yerp works great.
radiusd -X output: http://pastebin.ca/464153
radiusd.conf: http://pastebin.ca/464156
I also realised a mistake I have been making, see I want to search the
whole active directory, hence I kept setting my basedn without an ou.
After seeing your excellent
-Original Message-
From:
[EMAIL PROTECTED]
eradius.org [mailto:freeradius-users-
[EMAIL PROTECTED] On
Behalf Of Jacob Jarick
Sent: Sunday, 29 April 2007 20:48
To: FreeRadius users mailing list
Subject: Re: Freeradius Auth via LDAP against Active
Directory Server 2003
OK
mailing list
Subject: Re: Freeradius Auth via LDAP against Active
Directory Server 2003
OK tried with 1.1.4 and yerp works great.
radiusd -X output: http://pastebin.ca/464153
radiusd.conf: http://pastebin.ca/464156
I also realised a mistake I have been making, see I want to
search
I haven't been following your (quite extensive) queries, so apologies if
I've missed something fundamental.
I honestly don't know why this is proving so difficult. I've just tested
this against our own 2k3 AD service, and although I'm pretty familiar
with FR it took under 5 minutes. Try
Well I have another angle I will be attacking the problem from on the weekend.
I will be installing and configuring OpenLDAP on my linux server
making it replicate the ADS 2003 server then following the
gentoo-wiki's Freeradius and OpenLDAP implementation howto.
So the modified layout plan:
I have been at this for awhile now, so I thought I would share a
summary of what I have figured out so far for anyone else that decides
to try this.
1 - Documentation for this particular configuration is either out of
date / incomplete / both. There are no howtos that will get from start
to end
Hi folks,
I want authenticate users from a WLAN with freeradius. The
Users are stored in the Active Directory of a Windows 2003
Server.
With some Tutorials from the Internet I have configured
freeradius to make that.
Unfortunately the Authentication function not succesfully.
Thats the output
-
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
eeradius.o
rg]On Behalf Of [EMAIL PROTECTED]
Sent: 03 April 2006 10:27
To: freeradius-users@lists.freeradius.org
Subject: Problem with LDAP against Active Directory
Hi folks,
I want authenticate users from a WLAN with freeradius
:[EMAIL PROTECTED]
eeradius.o
rg]On Behalf Of [EMAIL PROTECTED]
Sent: 03 April 2006 10:27
To: freeradius-users@lists.freeradius.org
Subject: Problem with LDAP against Active Directory
Hi folks,
I want authenticate users from a WLAN with freeradius. The
Users are stored in the Active
Hi,
I have a question about the problem bellow.
If in LDAP (openldap) we provide the ntpassword (with samba), it will
work for authenticate Windows XP users with PEAP + mschapv2 ??
Note however, that storingusing ntpasswords instead of cleartext
passwords offers no advantage at all -
@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
Where is a good place to read the details of how ntlm_auth integrates in
with AD ?
Ron.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Willey
Kurt D
Sent: Thursday, January 13, 2005 3:27 PM
Ok, I have peap working with the users file and with mysql, and I have
radius working with ldap also. But I can not get a user to
authenticate against ldap using peap. I have seen that you cant use
eap and ldap, but peap and ldap should work from what I have read.
Any hints? the debug that I am
AJ Grinnell [EMAIL PROTECTED] wrote:
Ok, I have peap working with the users file and with mysql, and I have
radius working with ldap also. But I can not get a user to
authenticate against ldap using peap.
The server does not authenticate against LDAP for any EAP type. See
my previous
On Thu, 13 Jan 2005 10:06:15 -0500, Alan DeKok [EMAIL PROTECTED] wrote:
AJ Grinnell [EMAIL PROTECTED] wrote:
Ok, I have peap working with the users file and with mysql, and I have
radius working with ldap also. But I can not get a user to
authenticate against ldap using peap.
The
I am having the same problem. When you use an EAP type (like PEAP), a
hash of the password is sent to the radius server. The radius server is
able to deal with this if it has the password (such as in a mysql DB or
local file). The password can be hashed and compared with the hash that
was
: Thursday, January 13, 2005 8:58 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP, PEAP, Active Directory issue
I am having the same problem. When you use an EAP type (like PEAP), a
hash of the password is sent to the radius server. The radius server is
able to deal
: Thursday, January 13, 2005 8:58 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP, PEAP, Active Directory issue
I am having the same problem. When you use an EAP type (like PEAP), a
hash of the password is sent to the radius server. The radius server is
able to deal with this if it has
Does anyone have an example of radiusd.conf that will show the
following. I know this can be done.
Windows XP client -- 802.1x/PEAP -- Freeradius 1.0.1 -- Active Directory
I have tried many different configs, yet I am still getting an error
with the password. I just need an example, please.
-
, PEAP, Active Directory issue
I am having the same problem. When you use an EAP type (like PEAP), a
hash of the password is sent to the radius server. The radius server is
able to deal with this if it has the password (such as in a mysql DB or
local file). The password can be hashed and compared
yes
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Israel
Fabio Alves
Sent: Thursday, January 13, 2005 1:19 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP, PEAP, Active Directory issue
Hi,
I have a question about the problem bellow
-users@lists.freeradius.org
Subject: Re: LDAP, PEAP, Active Directory issue
Does anyone have an example of radiusd.conf that will show the
following. I know this can be done.
Windows XP client -- 802.1x/PEAP -- Freeradius 1.0.1 -- Active
Directory
I have tried many different configs, yet I am still
Of Israel
Fabio Alves
Sent: Thursday, January 13, 2005 1:19 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP, PEAP, Active Directory issue
Hi,
I have a question about the problem bellow.
If in LDAP (openldap) we provide the ntpassword (with samba), it will
work for authenticate Windows XP
]
[mailto:[EMAIL PROTECTED] On Behalf Of Israel
Fabio Alves
Sent: Thursday, January 13, 2005 2:25 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: LDAP, PEAP, Active Directory issue
Sorry for the question, but do you have a sample radius.conf to publish
for as.
Because a tried configure
AJ Grinnell [EMAIL PROTECTED] wrote:
Im sorry, I have not seen any replies that you may have given me.
You not only saw, you responded. Please remember the answers you're
given on this list. It helps to avoid repetition.
Israel Fabio Alves [EMAIL PROTECTED] wrote:
If in LDAP (openldap) we provide the ntpassword (with samba), it will
work for authenticate Windows XP users with PEAP + mschapv2 ??
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Are you storing the passwords in OpenLDAP or
Active Directory?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Willey
Kurt D
Sent: Thursday, January 13, 2005 12:21 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory
AD
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ron
Wahler
Sent: Thursday, January 13, 2005 4:13 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
Are you storing the passwords in OpenLDAP or
Active
: RE: LDAP, PEAP, Active Directory issue
AD
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ron
Wahler
Sent: Thursday, January 13, 2005 4:13 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
Are you storing
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ron
Wahler
Sent: Thursday, January 13, 2005 4:25 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: LDAP, PEAP, Active Directory issue
So when you use Samba you can get the password in the clear ? how
Is the mschap hash generated?
Ron
, July 02, 2004 17:12
Subject: Re: LDAP and Active Directory
Hi,
This may look like a reccuring question, but I've checked the
whole mailing list and many other websites but this isn't
clear to me.
I'm currently working on a gateway using a very poor but
strong configuration of free
Hello Marc,
Sunday, July 4, 2004, 2:32:45 PM, you wrote:
MJ Just a last question :
MJ I need OpenLDAP when I compile FreeRadius, but once FreeRadius is compiled,
MJ can I remove OpenLDAP or must I keep it running ?
I guess you should keep OpenLDAP installation because of
freeradius
it as lightweight and strong as possible !
My question is the following :
My bosses wants me to make my Linux box join some of the
centralized user db we have. Our society has 4 kind of
(different) user databases including NIS, LDAP, Active
Directory, MySQL, ...
So to make radius authenticate using
to made
it as lightweight and strong as possible !
My question is the following :
My bosses wants me to make my Linux box join some of the
centralized user db we have. Our society has 4 kind of
(different) user databases including NIS, LDAP, Active
Directory, MySQL, ...
So to make radius
60 matches
Mail list logo