Re: FreeRadius+AD integration
Hi, radius.conf as per the instructions, but radtest fails with Access-Reject .I have attached the debug window output for reference. no you havent. you've attached a tiny snippet of the debug output. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user but at least it shows this bit - how are you attempting to authenticate and WHAT are you attempting to authenticate? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add a secondary ldap server to radiusd.conf
Hello, how can I add a secondary ldap server to radiusd.conf for failover? Regards Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: Hi, I am trying to integrate freeradius with ADS 2003. I reffred to http://deployingradius.com/documents/configuration/active_directory.html http://deployingradius.com/documents/configuration/active_directory.html. everything works perfectly fine till ( $ ntlm_auth --request-nt-key --domain=*MYDOMAIN* --username=*user* --password=*password*) I get NT_STATUS_OK. I dont see NT_KEY output. I made changes to exec module in radius.conf as per the instructions, but radtest fails with Access-Reject .I have attached the debug window output for reference. You did not add the ntlm_auth entry to the authenticate section, as the web page says. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add a secondary ldap server to radiusd.conf
O/H Hubert Kupper έγραψε: Hello, how can I add a secondary ldap server to radiusd.conf for failover? Just create a second ldap module instance with the secondary ldap server configuration and read doc/configurable_failover Regards Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[how] installing
any body can help me how to install and configure RADIUS on CentOS thanks before - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with realm
Hi, I'm trying to configure freeradius for Authentication with username and pwd. It works if I enter the information directly, but if i configure the client to authenticate with username and password, it transmitts HOSTNAME\USERNAME. I discovered realms, but i can't get it work. I hope that you can help me with a hint, i added my radiusd.conf below. Regards - Christian prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid user = root group = root max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions= yes log_stripped_names = yes log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = no $INCLUDE ${confdir}/clients.conf snmp= no thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { chap { authtype = CHAP } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP } realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } preprocess { ascend_channels_per_line = 23 with_ntdomain_hack = no } files { usersfile = ${confdir}/users preproxy_usersfile = ${confdir}/preproxy_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } acct_unique { key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port } radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = yes } attr_filter { attrsfile = ${confdir}/attrs } expr { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = /bin/echo %{User-Name} input_pairs = request output_pairs = reply } } instantiate { exec expr } authorize { preprocess chap mschap ntdomain eap files } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } preacct { preprocess acct_unique ntdomain files } accounting { detail unix radutmp } session { radutmp } post-auth { } ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [how] installing
www.deployingradius.com or yum install freeradius vi /etc/raddb/* or wget ftp://ftp.freeradius.org:/pub/radius/freeradius-1.1.6.tar.bz2 tar -xjvf freeradius-1.1.6.tar.bz2 cd freeradius-1.1.6 ./configure make make install vi /etc/raddb/* seriously, your question is just SO open. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add a secondary ldap server to radiusd.conf
Hubert would you mind showing me how you map the ldap password to the radius password. Ive Tried checkItem userPassword User-Password but the radius debug logs complain that it Needs User-Password still :| On 4/23/07, Hubert Kupper [EMAIL PROTECTED] wrote: Hello, how can I add a secondary ldap server to radiusd.conf for failover? Regards Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: override ldap reply attribute
O/H [EMAIL PROTECTED] έγραψε: Hi Guys, I have maybe a quite simple question: is there any way to override the default ldap-reply attribute with an other value than there is in ldap. i.e.: users-file: Default Called-Station-Id = 00-1A-30-2F-11-50:Test, Airespace-Interface-Name := 777 ldap.attrmap: replyItem Airespace-Interface-NameradiusCallingStationId wanted result: if the users-file doesnt match, use vlaue of ldap-attribute: radiusCallingStationId, otherwise use vlaue: 777 in this type of configuration it seems i cant override the ldap-reply attribute-value with the users-file. Check the order in which the files and ldap module appear in the authorize section. If you want to override an ldap value then you need to have the files moduel after the ldap module. is there any possible way to do this? thanks in advance :-) freeradiusver: 1.1.4 -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
I tried with the following in the authenticate section Auth-Type ntlm_auth { mschap am not sure about the protocol i need to use here } I have attached the debug window output ** rad_recv: Access-Request packet from host 127.0.0.1:32928, id=202, length=57 User-Name = raduser User-Password = radpass NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = raduser, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry DEFAULT at line 214 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type ntlm_auth auth: type ntlm_auth Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module mschap returns reject for request 0 modcall: group Auth-Type returns reject for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request *** All I want to do is authenticate my cisco device logins using ads id and password. I am novice to radius,please help. thank you regards sb On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: shrikant Bhat wrote: Hi, I am trying to integrate freeradius with ADS 2003. I reffred to http://deployingradius.com/documents/configuration/active_directory.html http://deployingradius.com/documents/configuration/active_directory.html. everything works perfectly fine till ( $ ntlm_auth --request-nt-key --domain=*MYDOMAIN* --username=*user* --password=*password*) I get NT_STATUS_OK. I dont see NT_KEY output. I made changes to exec module in radius.conf as per the instructions, but radtest fails with Access-Reject .I have attached the debug window output for reference. You did not add the ntlm_auth entry to the authenticate section, as the web page says. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + LDAP + ADS 2003 password questions
here is a 57kb tar.gz of my /etc/raddb folder containing all configs. http://rapidshare.com/files/27470184/20070420_ldap_working.tar.gz.html -- Hello I have been reading everything I can get my hands on to resolve this problem Im having. The error message related to this problem: Attribute User-Password is required for authentication. Now I have just read through doc/rlm_ldap again and the 4th last paragraph made me wonder if this current method Im trying is supported. LDAP and Active Directory - Active directory does not return anything in the userPassword attribute, unlike other LDAP servers. As a result, you cannot use Active Directory to perform CHAP, MS-CHAP, or EAP-MD5 authentication. You can only use PAP, and then only if you list ldap in the authenticate section. To do MS-CHAP against an Active Directory domain, see the comments in radiusd.conf, about ntlm_auth. You will need to install Samba. Is it true that the only way to authenticate against active directory is using ntlm_auth ?. I have been specifically asked not to use the ntlm_auth method against AD out of security cocerns from having samba installed. I cant see the risk of having samba installed myself if no directorys are being shared (please correct me if Im wrong). I have enabled anonymous LDAP searches on the ADS. On friday I added this line to ldap.attrmap: checkItem userPasswordUser-Password And it worked for that day, I came back after the weekend copied configs across to my 2nd linux machine and retryed but it failed with the old error metioned above. I tried on the test server and it now fails as well with the same error (possibly server was reset over the weekend or something, I dunno). My test shows that anonymous search is definitely working ldapsearch -h 10.1.1.11 -b 'dc=tfxschool,dc=internal' -x -LLL -s sub 'objectclass=*' I dont have access to the machines atm (finished work for the day) but I did notice that down the bottom of ldap.attrmap I still have these entrys which were suggested by a thread I found on google (same error message). Im wondering if these lines will be adversly effecting my entry above and/or ldap authentication in general. checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem User-Password lmPassword Thanks in advance people, I really appreciate the help I have been getting on this mailing list. It has been an epic struggle for me so far (learning perl + snmp + cisco was easier) but I havent given up hope yet ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: I tried with the following in the authenticate section Auth-Type ntlm_auth { mschap am not sure about the protocol i need to use here The web page says to just put ntlm_auth in the authenticate section. It doesn't say you need Auth-Type, and it doesn't say to put mschap in it, either. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Jacob Jarick wrote: My problem is the ldap password retrieved from the windows client is not being sent to the ldap server. The problem is that you have configured Auth-Type := LDAP, and then sent the server an 802.1x authentication request. Do NOT set Auth-Type = LDAP. This is repeated all over the place in the configuration files, the documentation, and on this list. In fact, just delete ldap from the authenticate section. If you can get PAP working with that setup, then 802.1x EAP should work, too. Make sure that FreeRADIUS is retrieving the password from LDAP. If you have FreeRADIUS doing bind as user to LDAP, then it is NOT retrieving the password from LDAP. See: http://deployingradius.com/documents/protocols/ And the two other web pages linked to from that page. The weird thing is It was working fine friday. Because you were doing PAP authentication. I'm half inclined to remove ldap bind as user from the server entirely. It confuses too many people, and causes too many problems. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with realm
Christian Hohmann wrote: Hi, I'm trying to configure freeradius for Authentication with username and pwd. It works if I enter the information directly, but if i configure the client to authenticate with username and password, it transmitts HOSTNAME\USERNAME. I discovered realms, but i can't get it work. I hope that you can help me with a hint, i added my radiusd.conf below. See the FAQ for it doesn't work. Also see the FAQ for what information needs to be given when posting questions to the list. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Jacob Jarick wrote: Is it true that the only way to authenticate against active directory is using ntlm_auth ? For ms-chap, yes. I have been specifically asked not to use the ntlm_auth method against AD out of security cocerns from having samba installed. I cant see the risk of having samba installed myself if no directorys are being shared (please correct me if Im wrong). Yes. You can also put firewall rules in place to block any traffic to the Samba machine. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
My apologies for that mistake.. I have the following lines in modules section exec ntlm_auth { wait = no program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name} --password=%{User-Password} and I have ntlm_auth listed in authenticate section while running radiusd -X I get the following error. * [EMAIL PROTECTED] raddb]# /usr/sbin/radiusd -X -y Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) exec: wait = no exec: program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name} --password=%{User-Password} exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) Module: Instantiated exec (ntlm_auth) radiusd.conf[1685] Unknown Auth-Type exec in authenticate section. *** thanks for the help in advance. SB - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Jacob Jarick wrote: Thanks again Alan, For reference the oriellys LDAP book instructs you to set Auth-Type := LDAP so thats where I got the bad reference (perhaps other people to). Yes. There is a LOT of documentation (web pages, etc.) that say to do the wrong thing. It's unfortunate that the people writing those don't read the FreeRADIUS docs first, and don't ask us to review their configuration. Now lets see if I understood the tables correctly. PAP is the only method that will support LDAP bind as user ? It's the other way around. LDAP bind as user only works with PAP. When Using PAP - LDAP will I still have to map userPassword to User-Password ? No. I've added some more code that will go into 1.1.7 2.0. If the LDAP module succeeds in retrieving a password from LDAP, it does NOT set Auth-Type to LDAP. Will there be extra configuration required on free radius to make use of pap - ADS ldap or will it work automatically because ldap is configured in the modules {} section. I would ask what other authentication protocols you need to support before suggesting to set Auth-Type to LDAP. Wont using PAP mean plain text password from client - cisco wap - radius - ADS server ? No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible with Auth-Type = LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Sorry to pester u Alan :P Does mschapv2 also support ntlm_auth ? and now that I understand your tables (well I think) I should be able to persuade my employer to use ntlm and firewall the the samba ports. On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Is it true that the only way to authenticate against active directory is using ntlm_auth ? For ms-chap, yes. I have been specifically asked not to use the ntlm_auth method against AD out of security cocerns from having samba installed. I cant see the risk of having samba installed myself if no directorys are being shared (please correct me if Im wrong). Yes. You can also put firewall rules in place to block any traffic to the Samba machine. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: My apologies for that mistake.. I have the following lines in modules section exec ntlm_auth { wait = no program = /usr/bin/ntlm_auth --request-nt-key --domain=MYDOMAIN.COM --username=%{mschap:User-Name} --password=%{User-Password} and I have ntlm_auth listed in authenticate section No, you don't. You listed exec, not ntlm_auth. Please follow the instructions. If you are not going to follow the instructions, then do not be surprised that it doesn't work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: override ldap reply attribute
Kostas Kalevras wrote: O/H [EMAIL PROTECTED] έγραψε: Hi Guys, I have maybe a quite simple question: is there any way to override the default ldap-reply attribute with an other value than there is in ldap. i.e.: users-file: Default Called-Station-Id = 00-1A-30-2F-11-50:Test, Airespace-Interface-Name := 777 ldap.attrmap: replyItem Airespace-Interface-NameradiusCallingStationId wanted result: if the users-file doesnt match, use vlaue of ldap-attribute: radiusCallingStationId, otherwise use vlaue: 777 in this type of configuration it seems i cant override the ldap-reply attribute-value with the users-file. Check the order in which the files and ldap module appear in the authorize section. If you want to override an ldap value then you need to have the files moduel after the ldap module. unfortunately the problem still persists, also if i change the order :-( any other ideas? is there any possible way to do this? thanks in advance :-) freeradiusver: 1.1.4 -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Forgive the newbie questions but I think its best to clear up confusion. client - cisco - FR server = eap FR - ADS 2003 = pap Is that correct or am I way off track. On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Thanks again Alan, For reference the oriellys LDAP book instructs you to set Auth-Type := LDAP so thats where I got the bad reference (perhaps other people to). Yes. There is a LOT of documentation (web pages, etc.) that say to do the wrong thing. It's unfortunate that the people writing those don't read the FreeRADIUS docs first, and don't ask us to review their configuration. Now lets see if I understood the tables correctly. PAP is the only method that will support LDAP bind as user ? It's the other way around. LDAP bind as user only works with PAP. When Using PAP - LDAP will I still have to map userPassword to User-Password ? No. I've added some more code that will go into 1.1.7 2.0. If the LDAP module succeeds in retrieving a password from LDAP, it does NOT set Auth-Type to LDAP. Will there be extra configuration required on free radius to make use of pap - ADS ldap or will it work automatically because ldap is configured in the modules {} section. I would ask what other authentication protocols you need to support before suggesting to set Auth-Type to LDAP. Wont using PAP mean plain text password from client - cisco wap - radius - ADS server ? No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible with Auth-Type = LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radisus and OTP inetegration
Hi all, I have to find a solution that integrates the use of OTP (One Time Password ) as a second factor authentication in addition to the first factor authentication (witch is generally username and password) to an existing authentication System. This solution should be integrated easily to the existing authentication system regardless the protocol used for authentication (Rdius, Kerberos, Http, EAP, etc) and regardless the OS. My questions are: 1- What are the possibilities and the facilities offered by FreeRadius?? 2- I though about tow solutions : a- Developing a plug-in that could be integrated to the existing authentication system. This plug-in will interact with the OTP-Server for otp validation. b- Installing a radius server in front of the existing IT system. This server will be configured in a way it will redirect first factor authentication requests (exple : username/password) to the existing authentication system and the OTP second factor authentication to the OTP services Server hosted and give access to user only when this 2 factors are valide. I have no idea about Radius. And these are general ideas and I want someone to tell me if these solutions are possible and how to proceed. Wats is best or better to do? Is there any other solution? Waiting for your response. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: override ldap reply attribute
O/H Chaos Commander έγραψε: Kostas Kalevras wrote: O/H [EMAIL PROTECTED] έγραψε: Hi Guys, I have maybe a quite simple question: is there any way to override the default ldap-reply attribute with an other value than there is in ldap. i.e.: users-file: Default Called-Station-Id = 00-1A-30-2F-11-50:Test, Airespace-Interface-Name := 777 ldap.attrmap: replyItem Airespace-Interface-NameradiusCallingStationId wanted result: if the users-file doesnt match, use vlaue of ldap-attribute: radiusCallingStationId, otherwise use vlaue: 777 in this type of configuration it seems i cant override the ldap-reply attribute-value with the users-file. Check the order in which the files and ldap module appear in the authorize section. If you want to override an ldap value then you need to have the files moduel after the ldap module. unfortunately the problem still persists, also if i change the order :-( any other ideas? Run in debug mode (radiusd -X) and POST the output. is there any possible way to do this? thanks in advance :-) freeradiusver: 1.1.4 -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Jacob Jarick wrote: Sorry to pester u Alan :P Does mschapv2 also support ntlm_auth ? Yes. The mschap module does both mschapv1 and mschapv2. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autotools related problems in freeradius 1.1.6
Greetings to all in the list. I'd like to report an issue in the build scripts of freeradius. I tried to build version 1.1.6 but the problem exists in earlier versions too. If I do ./configure --prefix=/opt/freeradius the build scripts presume that --enable-developer is true. This has the effect that -DNDEBUG is not defined in CFLAGS during compilation, among other things, so the rad_assert() function can abort freeradius operation in production environments. I believe that by default, --enable-developer should be false unless explicitly set during configure. Moreover, in a Solaris 9 environment --enable-developer or --disable-developer seem to be ignored and someone should define CFLAGS explicitly in the configure command to define -NDEBUG macro. Let me know if you need anything else to trace the issue. Thanks, Kostas Zorbadelos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Thanks On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Sorry to pester u Alan :P Does mschapv2 also support ntlm_auth ? Yes. The mschap module does both mschapv1 and mschapv2. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + LDAP + PAM + encryption question
From my recent thread with Alan, I have gathered that ldap only supports PAP. PAP sends the password in plain text. Is it possible to encasuplate PAP inside another protocol say EAP to prevent from packet sniffers etc. Failing that is it possible to asign vlans bases on ldap primary group via the ntlm_auth method. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autotools related problems in freeradius 1.1.6
Kostas Zorbadelos wrote: If I do ./configure --prefix=/opt/freeradius the build scripts presume that --enable-developer is true. That may be an issue only in 1.1.6. You should be able to change it by doing --disable-developer. This has the effect that -DNDEBUG is not defined in CFLAGS during compilation, among other things, so the rad_assert() function can abort freeradius operation in production environments. Which is not necessarily a bad thing. Yes, it's bad for your RADIUS server to go down. It's arguably worse for the RADIUS server to keep running, and doing... something... after it notices that internal sanity checks have failed. I believe that by default, --enable-developer should be false unless explicitly set during configure. Moreover, in a Solaris 9 environment --enable-developer or --disable-developer seem to be ignored and someone should define CFLAGS explicitly in the configure command to define -NDEBUG macro. Let me know if you need anything else to trace the issue. It's just a couple of lines of shell scripting in configure.in. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS not accepting the Access-Accept?
Hi, In the documentation of the switch it says: To provide each user with appropriate levels of access to the switch, set the following username attributes on your RADIUS server: - R/W access -- Set the Service-Type field value to Administrative - Read-Only -- set the Service-Type field value to NAS-Prompt So, in my users file, I have defined a user: testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type = Administrative-User though if the server doesnt understand that attribute you may need to add it to the dictionary file however, another method to use is use one of the other modules - eg the PERL module , as part of authorization. its trivial to then check the NAS, the user and then assign/add new attributes. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP/EAP-TLS with client and server certificate
Hi, I´m trying to configure freeradius with PEAP + EAP-TLS, but I´m making some confusion to configure the radiusd.conf (sections authorize and authentication) and eap.conf. Have someone implemented this configuration? In the eap.conf file the default eap type is TLS or PEAP? What I´ve to configure in the authorize and authentication sections? I´ve attached my conf files below. Best Regards ... FreeRADIUS Version 1.0.1 eap.conf eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no # Supported EAP-types # EAP-TLS tls { private_key_password = xxx private_key_file = ${raddbdir}/certs/freeradius_key.pem certificate_file = ${raddbdir}/certs/freeradius_cert.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = tls } #tls { #private_key_password = xx #private_key_file = ${raddbdir}/certs/freeradius_key.pem #certificate_file = ${raddbdir}/certs/freeradius_cert.pem #CA_file = ${raddbdir}/certs/demoCA/cacert.pem #dh_file = ${raddbdir}/certs/dh #random_file = ${raddbdir}/certs/random #fragment_size = 1024 #include_length = yes #} #mschapv2 { #} } radiusd.conf (only authorize and authentication sections) . . . # Instantiation instantiate { } # authorize { preprocess files mschap eap } # Authentication. authenticate { Auth-Type MS-CHAP { mschap } eap } . . . Mensagem protegida por sigilo profissional. Sua utilização indevida sujeita o infrator às penas da lei. Não sendo seu destinatário, por favor, elimine-a e informe o equívoco ao emitente. This e-mail message and any attachment are intended exclusively for the named addressee. They may contain confidential information which may also be protected by professional secrecy. Unless you are the named addressee (or authorised to receive for the addressee) you may not copy or use this message or any attachment or disclose the contents to anyone else. If this e-mail was sent to you by mistake please notify the sender immediately and delete this e-mail.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
So the big question is, what Auth-Type do I use ? If LDAP is not permitted (still confuses me as I only need / want radius to authenticate against LDAP) what Auth-Type do I set in the users file so that Wireless users can authenticate using their ADS username and passwords. On 4/23/07, Jacob Jarick [EMAIL PROTECTED] wrote: Forgive the newbie questions but I think its best to clear up confusion. client - cisco - FR server = eap FR - ADS 2003 = pap Is that correct or am I way off track. On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Thanks again Alan, For reference the oriellys LDAP book instructs you to set Auth-Type := LDAP so thats where I got the bad reference (perhaps other people to). Yes. There is a LOT of documentation (web pages, etc.) that say to do the wrong thing. It's unfortunate that the people writing those don't read the FreeRADIUS docs first, and don't ask us to review their configuration. Now lets see if I understood the tables correctly. PAP is the only method that will support LDAP bind as user ? It's the other way around. LDAP bind as user only works with PAP. When Using PAP - LDAP will I still have to map userPassword to User-Password ? No. I've added some more code that will go into 1.1.7 2.0. If the LDAP module succeeds in retrieving a password from LDAP, it does NOT set Auth-Type to LDAP. Will there be extra configuration required on free radius to make use of pap - ADS ldap or will it work automatically because ldap is configured in the modules {} section. I would ask what other authentication protocols you need to support before suggesting to set Auth-Type to LDAP. Wont using PAP mean plain text password from client - cisco wap - radius - ADS server ? No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible with Auth-Type = LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Requesting Decent Freeradius + ADS 2003 + LDAP howto
Ok, I have read them all - the wiki's the unrelated novell howtos for edirectory bought a Oriellys book on ldap (their FR + LDAP howto is incorrect apparently) and googled countless times. The articles on http://wiki.freeradius.org/LDAP arent much help they just re-itterate whats in the config files and rlm_ldap doesnt seem to mention setting the users file. http://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/radius.html The above article instructs you to set Auth-Type =: LDAP which is wrong I have been told by alan (but what is correct then ?). I am about to start from fresh again just to make sure its not config setting I have changed and forgot to fix. But I would appreciate any good howtos others may have found and of course any answers / information you guys can provide. Thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Requesting Decent Freeradius + ADS 2003 + LDAP howto
These examples here look a bit more promising. http://vuksan.com/linux/dot1x/802-1x-LDAP.html -- Forwarded message -- From: Jacob Jarick [EMAIL PROTECTED] Date: Apr 24, 2007 9:01 AM Subject: Requesting Decent Freeradius + ADS 2003 + LDAP howto To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Ok, I have read them all - the wiki's the unrelated novell howtos for edirectory bought a Oriellys book on ldap (their FR + LDAP howto is incorrect apparently) and googled countless times. The articles on http://wiki.freeradius.org/LDAP arent much help they just re-itterate whats in the config files and rlm_ldap doesnt seem to mention setting the users file. http://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/radius.html The above article instructs you to set Auth-Type =: LDAP which is wrong I have been told by alan (but what is correct then ?). I am about to start from fresh again just to make sure its not config setting I have changed and forgot to fix. But I would appreciate any good howtos others may have found and of course any answers / information you guys can provide. Thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Requesting Decent Freeradius + ADS 2003 + LDAP howto
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS#Configuring_The_.2Fetc.2Fraddb.2Fradiusd.conf_File Another howto that instructs you to set DEFAULT Auth-Type := LDAP -- Forwarded message -- From: Jacob Jarick [EMAIL PROTECTED] Date: Apr 24, 2007 9:01 AM Subject: Requesting Decent Freeradius + ADS 2003 + LDAP howto To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Ok, I have read them all - the wiki's the unrelated novell howtos for edirectory bought a Oriellys book on ldap (their FR + LDAP howto is incorrect apparently) and googled countless times. The articles on http://wiki.freeradius.org/LDAP arent much help they just re-itterate whats in the config files and rlm_ldap doesnt seem to mention setting the users file. http://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/radius.html The above article instructs you to set Auth-Type =: LDAP which is wrong I have been told by alan (but what is correct then ?). I am about to start from fresh again just to make sure its not config setting I have changed and forgot to fix. But I would appreciate any good howtos others may have found and of course any answers / information you guys can provide. Thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Alan, my test pc only supports PEAP over wireless and setup has to be wireless. Removing ldap from the authenticate section causes an EAP error, so I guess there is more configuration than simply removing / commenting that section out. I dont know how to not bind as a user when using FR + LDAP, no document I have seen so far seems to cover it. What encryption do you use for the ldap password in radius.conf ? so that anonymous searches are not needed. On 4/24/07, Jacob Jarick [EMAIL PROTECTED] wrote: So the big question is, what Auth-Type do I use ? If LDAP is not permitted (still confuses me as I only need / want radius to authenticate against LDAP) what Auth-Type do I set in the users file so that Wireless users can authenticate using their ADS username and passwords. On 4/23/07, Jacob Jarick [EMAIL PROTECTED] wrote: Forgive the newbie questions but I think its best to clear up confusion. client - cisco - FR server = eap FR - ADS 2003 = pap Is that correct or am I way off track. On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Thanks again Alan, For reference the oriellys LDAP book instructs you to set Auth-Type := LDAP so thats where I got the bad reference (perhaps other people to). Yes. There is a LOT of documentation (web pages, etc.) that say to do the wrong thing. It's unfortunate that the people writing those don't read the FreeRADIUS docs first, and don't ask us to review their configuration. Now lets see if I understood the tables correctly. PAP is the only method that will support LDAP bind as user ? It's the other way around. LDAP bind as user only works with PAP. When Using PAP - LDAP will I still have to map userPassword to User-Password ? No. I've added some more code that will go into 1.1.7 2.0. If the LDAP module succeeds in retrieving a password from LDAP, it does NOT set Auth-Type to LDAP. Will there be extra configuration required on free radius to make use of pap - ADS ldap or will it work automatically because ldap is configured in the modules {} section. I would ask what other authentication protocols you need to support before suggesting to set Auth-Type to LDAP. Wont using PAP mean plain text password from client - cisco wap - radius - ADS server ? No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible with Auth-Type = LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + ADS 2003 + ntlm_auth
radius -X -f: http://pastebin.ca/455389 config files: Hello All, I have gone back to ntlm_auth for the time being instead of ldap due to the incredibly frustrating lack of good documentation (if there are good docs, link it or shutup). None of the howtos/ tutorials I have followed end in success its always some ldap error of some kind. At least 1/2 the FR + LDAP howtos say to set DEFAULT Auth-Type := LDAP which I have been told by Alan is incorrect. I followed Alans Active Directory Intergation tutorial and everything is setup as the guide says, But eap fails with this message: rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. I had this the 1st time I followed the pdf but I did find another howto that said to add something else and that got it working, but for the life of me I cant find it again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + ADS 2003 + ntlm_auth (including config files)
radius -X -f: http://pastebin.ca/455389 config files: http://rapidshare.com/files/27607850/config.tgz.html Hello All, I have gone back to ntlm_auth for the time being instead of ldap due to the incredibly frustrating lack of good documentation (if there are good docs, link it or shutup). None of the howtos/ tutorials I have followed end in success its always some ldap error of some kind. At least 1/2 the FR + LDAP howtos say to set DEFAULT Auth-Type := LDAP which I have been told by Alan is incorrect. I followed Alans Active Directory Intergation tutorial and everything is setup as the guide says, But eap fails with this message: rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. I had this the 1st time I followed the pdf but I did find another howto that said to add something else and that got it working, but for the life of me I cant find it again. On another note Id like to volenteer to help update some of the documentation out there on FR, some is horribly out of date and makes for a very frustrating introduction for people. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add a secondary ldap server to radiusd.conf
On 23 Apr 2007 at 11:18, Kostas Kalevras wrote: O/H Hubert Kupper : Hello, how can I add a secondary ldap server to radiusd.conf for failover? Just create a second ldap module instance with the secondary ldap server configuration and read doc/configurable_failover Thanks! I have 2 ldap module instances and will add 2 instances with the secondary ldap server. Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html