Re: FreeRadius+AD integration
Hi, radius.conf as per the instructions, but radtest fails with Access-Reject .I have attached the debug window output for reference. no you havent. you've attached a tiny snippet of the debug output. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user but at least it shows this bit - how are you attempting to authenticate and WHAT are you attempting to authenticate? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Add a secondary ldap server to radiusd.conf
Hello, how can I add a secondary ldap server to radiusd.conf for failover? Regards Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote: Hi, I am trying to integrate freeradius with ADS 2003. I reffred to http://deployingradius.com/documents/configuration/active_directory.html http://deployingradius.com/documents/configuration/active_directory.html. everything works perfectly fine till ( $ ntlm_auth --request-nt-key --domain=*MYDOMAIN* --username=*user* --password=*password*) I get NT_STATUS_OK. I dont see NT_KEY output. I made changes to exec module in radius.conf as per the instructions, but radtest fails with Access-Reject .I have attached the debug window output for reference. You did not add the ntlm_auth entry to the authenticate section, as the web page says. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add a secondary ldap server to radiusd.conf
O/H Hubert Kupper έγραψε: Hello, how can I add a secondary ldap server to radiusd.conf for failover? Just create a second ldap module instance with the secondary ldap server configuration and read doc/configurable_failover Regards Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[how] installing
any body can help me how to install and configure RADIUS on CentOS thanks before - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with realm
Hi,
I'm trying to configure freeradius for Authentication with username and pwd. It
works if I enter the information directly, but if i configure the client to
authenticate with username and password, it transmitts HOSTNAME\USERNAME. I
discovered realms, but i can't get it work. I hope that you can help me with a
hint, i added my radiusd.conf below.
Regards - Christian
prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib/freeradius
pidfile = ${run_dir}/radiusd.pid
user = root
group = root
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions= yes
log_stripped_names = yes
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/clients.conf
snmp= no
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
chap {
authtype = CHAP
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAP
}
realm ntdomain {
format = prefix
delimiter = \\
ignore_default = no
ignore_null = no
}
preprocess {
ascend_channels_per_line = 23
with_ntdomain_hack = no
}
files {
usersfile = ${confdir}/users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
perm = 0600
callerid = yes
}
attr_filter {
attrsfile = ${confdir}/attrs
}
expr {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = /bin/echo %{User-Name}
input_pairs = request
output_pairs = reply
}
}
instantiate {
exec
expr
}
authorize {
preprocess
chap
mschap
ntdomain
eap
files
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
eap
}
preacct {
preprocess
acct_unique
ntdomain
files
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
post-auth {
}
___
SMS schreiben mit WEB.DE FreeMail - einfach, schnell und
kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: [how] installing
www.deployingradius.com or yum install freeradius vi /etc/raddb/* or wget ftp://ftp.freeradius.org:/pub/radius/freeradius-1.1.6.tar.bz2 tar -xjvf freeradius-1.1.6.tar.bz2 cd freeradius-1.1.6 ./configure make make install vi /etc/raddb/* seriously, your question is just SO open. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add a secondary ldap server to radiusd.conf
Hubert would you mind showing me how you map the ldap password to the radius password. Ive Tried checkItem userPassword User-Password but the radius debug logs complain that it Needs User-Password still :| On 4/23/07, Hubert Kupper [EMAIL PROTECTED] wrote: Hello, how can I add a secondary ldap server to radiusd.conf for failover? Regards Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: override ldap reply attribute
O/H [EMAIL PROTECTED] έγραψε: Hi Guys, I have maybe a quite simple question: is there any way to override the default ldap-reply attribute with an other value than there is in ldap. i.e.: users-file: Default Called-Station-Id = 00-1A-30-2F-11-50:Test, Airespace-Interface-Name := 777 ldap.attrmap: replyItem Airespace-Interface-NameradiusCallingStationId wanted result: if the users-file doesnt match, use vlaue of ldap-attribute: radiusCallingStationId, otherwise use vlaue: 777 in this type of configuration it seems i cant override the ldap-reply attribute-value with the users-file. Check the order in which the files and ldap module appear in the authorize section. If you want to override an ldap value then you need to have the files moduel after the ldap module. is there any possible way to do this? thanks in advance :-) freeradiusver: 1.1.4 -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
I tried with the following in the authenticate section
Auth-Type ntlm_auth {
mschap am not sure about the
protocol i need to use here
}
I have attached the debug window output
**
rad_recv: Access-Request packet from host 127.0.0.1:32928, id=202, length=57
User-Name = raduser
User-Password = radpass
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = raduser, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry DEFAULT at line 214
modcall[authorize]: module files returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type ntlm_auth
auth: type ntlm_auth
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 0
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: No MS-CHAP-Challenge in the request
modcall[authenticate]: module mschap returns reject for request 0
modcall: group Auth-Type returns reject for request 0
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
***
All I want to do is authenticate my cisco device logins using ads id
and password.
I am novice to radius,please help.
thank you
regards
sb
On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote:
shrikant Bhat wrote:
Hi,
I am trying to integrate freeradius with ADS 2003. I reffred to
http://deployingradius.com/documents/configuration/active_directory.html
http://deployingradius.com/documents/configuration/active_directory.html.
everything works perfectly fine till ( $ ntlm_auth --request-nt-key
--domain=*MYDOMAIN* --username=*user* --password=*password*) I get
NT_STATUS_OK. I dont see NT_KEY output. I made changes to exec module
in radius.conf as per the instructions, but radtest fails with
Access-Reject .I have attached the debug window output for reference.
You did not add the ntlm_auth entry to the authenticate section,
as the web page says.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + LDAP + ADS 2003 password questions
here is a 57kb tar.gz of my /etc/raddb folder containing all configs. http://rapidshare.com/files/27470184/20070420_ldap_working.tar.gz.html -- Hello I have been reading everything I can get my hands on to resolve this problem Im having. The error message related to this problem: Attribute User-Password is required for authentication. Now I have just read through doc/rlm_ldap again and the 4th last paragraph made me wonder if this current method Im trying is supported. LDAP and Active Directory - Active directory does not return anything in the userPassword attribute, unlike other LDAP servers. As a result, you cannot use Active Directory to perform CHAP, MS-CHAP, or EAP-MD5 authentication. You can only use PAP, and then only if you list ldap in the authenticate section. To do MS-CHAP against an Active Directory domain, see the comments in radiusd.conf, about ntlm_auth. You will need to install Samba. Is it true that the only way to authenticate against active directory is using ntlm_auth ?. I have been specifically asked not to use the ntlm_auth method against AD out of security cocerns from having samba installed. I cant see the risk of having samba installed myself if no directorys are being shared (please correct me if Im wrong). I have enabled anonymous LDAP searches on the ADS. On friday I added this line to ldap.attrmap: checkItem userPasswordUser-Password And it worked for that day, I came back after the weekend copied configs across to my 2nd linux machine and retryed but it failed with the old error metioned above. I tried on the test server and it now fails as well with the same error (possibly server was reset over the weekend or something, I dunno). My test shows that anonymous search is definitely working ldapsearch -h 10.1.1.11 -b 'dc=tfxschool,dc=internal' -x -LLL -s sub 'objectclass=*' I dont have access to the machines atm (finished work for the day) but I did notice that down the bottom of ldap.attrmap I still have these entrys which were suggested by a thread I found on google (same error message). Im wondering if these lines will be adversly effecting my entry above and/or ldap authentication in general. checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem User-Password lmPassword Thanks in advance people, I really appreciate the help I have been getting on this mailing list. It has been an epic struggle for me so far (learning perl + snmp + cisco was easier) but I havent given up hope yet ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote:
I tried with the following in the authenticate section
Auth-Type ntlm_auth {
mschap am not sure about the
protocol i need to use here
The web page says to just put ntlm_auth in the authenticate
section. It doesn't say you need Auth-Type, and it doesn't say to put
mschap in it, either.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Jacob Jarick wrote: My problem is the ldap password retrieved from the windows client is not being sent to the ldap server. The problem is that you have configured Auth-Type := LDAP, and then sent the server an 802.1x authentication request. Do NOT set Auth-Type = LDAP. This is repeated all over the place in the configuration files, the documentation, and on this list. In fact, just delete ldap from the authenticate section. If you can get PAP working with that setup, then 802.1x EAP should work, too. Make sure that FreeRADIUS is retrieving the password from LDAP. If you have FreeRADIUS doing bind as user to LDAP, then it is NOT retrieving the password from LDAP. See: http://deployingradius.com/documents/protocols/ And the two other web pages linked to from that page. The weird thing is It was working fine friday. Because you were doing PAP authentication. I'm half inclined to remove ldap bind as user from the server entirely. It confuses too many people, and causes too many problems. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with realm
Christian Hohmann wrote: Hi, I'm trying to configure freeradius for Authentication with username and pwd. It works if I enter the information directly, but if i configure the client to authenticate with username and password, it transmitts HOSTNAME\USERNAME. I discovered realms, but i can't get it work. I hope that you can help me with a hint, i added my radiusd.conf below. See the FAQ for it doesn't work. Also see the FAQ for what information needs to be given when posting questions to the list. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Jacob Jarick wrote: Is it true that the only way to authenticate against active directory is using ntlm_auth ? For ms-chap, yes. I have been specifically asked not to use the ntlm_auth method against AD out of security cocerns from having samba installed. I cant see the risk of having samba installed myself if no directorys are being shared (please correct me if Im wrong). Yes. You can also put firewall rules in place to block any traffic to the Samba machine. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
My apologies for that mistake..
I have the following lines in modules section
exec ntlm_auth {
wait = no
program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN.COM
--username=%{mschap:User-Name} --password=%{User-Password}
and I have ntlm_auth listed in authenticate section while running radiusd -X
I get the following error.
*
[EMAIL PROTECTED] raddb]# /usr/sbin/radiusd -X -y
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
exec: wait = no
exec: program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN.COM --username=%{mschap:User-Name}
--password=%{User-Password}
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
Module: Instantiated exec (ntlm_auth)
radiusd.conf[1685] Unknown Auth-Type exec in authenticate section.
***
thanks for the help in advance.
SB
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Jacob Jarick wrote:
Thanks again Alan,
For reference the oriellys LDAP book instructs you to set Auth-Type
:= LDAP so thats where I got the bad reference (perhaps other people
to).
Yes. There is a LOT of documentation (web pages, etc.) that say to do
the wrong thing. It's unfortunate that the people writing those don't
read the FreeRADIUS docs first, and don't ask us to review their
configuration.
Now lets see if I understood the tables correctly.
PAP is the only method that will support LDAP bind as user ?
It's the other way around. LDAP bind as user only works with PAP.
When Using PAP - LDAP will I still have to map userPassword to User-Password
?
No.
I've added some more code that will go into 1.1.7 2.0. If the LDAP
module succeeds in retrieving a password from LDAP, it does NOT set
Auth-Type to LDAP.
Will there be extra configuration required on free radius to make use
of pap - ADS ldap or will it work automatically because ldap is
configured in the modules {} section.
I would ask what other authentication protocols you need to support
before suggesting to set Auth-Type to LDAP.
Wont using PAP mean plain text password from client - cisco wap -
radius - ADS server ?
No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible
with Auth-Type = LDAP.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Sorry to pester u Alan :P Does mschapv2 also support ntlm_auth ? and now that I understand your tables (well I think) I should be able to persuade my employer to use ntlm and firewall the the samba ports. On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Is it true that the only way to authenticate against active directory is using ntlm_auth ? For ms-chap, yes. I have been specifically asked not to use the ntlm_auth method against AD out of security cocerns from having samba installed. I cant see the risk of having samba installed myself if no directorys are being shared (please correct me if Im wrong). Yes. You can also put firewall rules in place to block any traffic to the Samba machine. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
shrikant Bhat wrote:
My apologies for that mistake..
I have the following lines in modules section
exec ntlm_auth {
wait = no
program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN.COM
--username=%{mschap:User-Name} --password=%{User-Password}
and I have ntlm_auth listed in authenticate section
No, you don't. You listed exec, not ntlm_auth.
Please follow the instructions. If you are not going to follow the
instructions, then do not be surprised that it doesn't work.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: override ldap reply attribute
Kostas Kalevras wrote: O/H [EMAIL PROTECTED] έγραψε: Hi Guys, I have maybe a quite simple question: is there any way to override the default ldap-reply attribute with an other value than there is in ldap. i.e.: users-file: Default Called-Station-Id = 00-1A-30-2F-11-50:Test, Airespace-Interface-Name := 777 ldap.attrmap: replyItem Airespace-Interface-NameradiusCallingStationId wanted result: if the users-file doesnt match, use vlaue of ldap-attribute: radiusCallingStationId, otherwise use vlaue: 777 in this type of configuration it seems i cant override the ldap-reply attribute-value with the users-file. Check the order in which the files and ldap module appear in the authorize section. If you want to override an ldap value then you need to have the files moduel after the ldap module. unfortunately the problem still persists, also if i change the order :-( any other ideas? is there any possible way to do this? thanks in advance :-) freeradiusver: 1.1.4 -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Forgive the newbie questions but I think its best to clear up confusion.
client - cisco - FR server = eap
FR - ADS 2003 = pap
Is that correct or am I way off track.
On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote:
Jacob Jarick wrote:
Thanks again Alan,
For reference the oriellys LDAP book instructs you to set Auth-Type
:= LDAP so thats where I got the bad reference (perhaps other people
to).
Yes. There is a LOT of documentation (web pages, etc.) that say to do
the wrong thing. It's unfortunate that the people writing those don't
read the FreeRADIUS docs first, and don't ask us to review their
configuration.
Now lets see if I understood the tables correctly.
PAP is the only method that will support LDAP bind as user ?
It's the other way around. LDAP bind as user only works with PAP.
When Using PAP - LDAP will I still have to map userPassword to
User-Password ?
No.
I've added some more code that will go into 1.1.7 2.0. If the LDAP
module succeeds in retrieving a password from LDAP, it does NOT set
Auth-Type to LDAP.
Will there be extra configuration required on free radius to make use
of pap - ADS ldap or will it work automatically because ldap is
configured in the modules {} section.
I would ask what other authentication protocols you need to support
before suggesting to set Auth-Type to LDAP.
Wont using PAP mean plain text password from client - cisco wap -
radius - ADS server ?
No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible
with Auth-Type = LDAP.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radisus and OTP inetegration
Hi all, I have to find a solution that integrates the use of OTP (One Time Password ) as a second factor authentication in addition to the first factor authentication (witch is generally username and password) to an existing authentication System. This solution should be integrated easily to the existing authentication system regardless the protocol used for authentication (Rdius, Kerberos, Http, EAP, etc) and regardless the OS. My questions are: 1- What are the possibilities and the facilities offered by FreeRadius?? 2- I though about tow solutions : a- Developing a plug-in that could be integrated to the existing authentication system. This plug-in will interact with the OTP-Server for otp validation. b- Installing a radius server in front of the existing IT system. This server will be configured in a way it will redirect first factor authentication requests (exple : username/password) to the existing authentication system and the OTP second factor authentication to the OTP services Server hosted and give access to user only when this 2 factors are valide. I have no idea about Radius. And these are general ideas and I want someone to tell me if these solutions are possible and how to proceed. Wats is best or better to do? Is there any other solution? Waiting for your response. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: override ldap reply attribute
O/H Chaos Commander έγραψε: Kostas Kalevras wrote: O/H [EMAIL PROTECTED] έγραψε: Hi Guys, I have maybe a quite simple question: is there any way to override the default ldap-reply attribute with an other value than there is in ldap. i.e.: users-file: Default Called-Station-Id = 00-1A-30-2F-11-50:Test, Airespace-Interface-Name := 777 ldap.attrmap: replyItem Airespace-Interface-NameradiusCallingStationId wanted result: if the users-file doesnt match, use vlaue of ldap-attribute: radiusCallingStationId, otherwise use vlaue: 777 in this type of configuration it seems i cant override the ldap-reply attribute-value with the users-file. Check the order in which the files and ldap module appear in the authorize section. If you want to override an ldap value then you need to have the files moduel after the ldap module. unfortunately the problem still persists, also if i change the order :-( any other ideas? Run in debug mode (radiusd -X) and POST the output. is there any possible way to do this? thanks in advance :-) freeradiusver: 1.1.4 -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Jacob Jarick wrote: Sorry to pester u Alan :P Does mschapv2 also support ntlm_auth ? Yes. The mschap module does both mschapv1 and mschapv2. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autotools related problems in freeradius 1.1.6
Greetings to all in the list. I'd like to report an issue in the build scripts of freeradius. I tried to build version 1.1.6 but the problem exists in earlier versions too. If I do ./configure --prefix=/opt/freeradius the build scripts presume that --enable-developer is true. This has the effect that -DNDEBUG is not defined in CFLAGS during compilation, among other things, so the rad_assert() function can abort freeradius operation in production environments. I believe that by default, --enable-developer should be false unless explicitly set during configure. Moreover, in a Solaris 9 environment --enable-developer or --disable-developer seem to be ignored and someone should define CFLAGS explicitly in the configure command to define -NDEBUG macro. Let me know if you need anything else to trace the issue. Thanks, Kostas Zorbadelos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Thanks On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Sorry to pester u Alan :P Does mschapv2 also support ntlm_auth ? Yes. The mschap module does both mschapv1 and mschapv2. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + LDAP + PAM + encryption question
From my recent thread with Alan, I have gathered that ldap only supports PAP. PAP sends the password in plain text. Is it possible to encasuplate PAP inside another protocol say EAP to prevent from packet sniffers etc. Failing that is it possible to asign vlans bases on ldap primary group via the ntlm_auth method. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autotools related problems in freeradius 1.1.6
Kostas Zorbadelos wrote: If I do ./configure --prefix=/opt/freeradius the build scripts presume that --enable-developer is true. That may be an issue only in 1.1.6. You should be able to change it by doing --disable-developer. This has the effect that -DNDEBUG is not defined in CFLAGS during compilation, among other things, so the rad_assert() function can abort freeradius operation in production environments. Which is not necessarily a bad thing. Yes, it's bad for your RADIUS server to go down. It's arguably worse for the RADIUS server to keep running, and doing... something... after it notices that internal sanity checks have failed. I believe that by default, --enable-developer should be false unless explicitly set during configure. Moreover, in a Solaris 9 environment --enable-developer or --disable-developer seem to be ignored and someone should define CFLAGS explicitly in the configure command to define -NDEBUG macro. Let me know if you need anything else to trace the issue. It's just a couple of lines of shell scripting in configure.in. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS not accepting the Access-Accept?
Hi, In the documentation of the switch it says: To provide each user with appropriate levels of access to the switch, set the following username attributes on your RADIUS server: - R/W access -- Set the Service-Type field value to Administrative - Read-Only -- set the Service-Type field value to NAS-Prompt So, in my users file, I have defined a user: testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type ==Administrative-User testuser NAS-IP-Address == 172.16.8.30, Cleartext-Password := testing, Service-Type = Administrative-User though if the server doesnt understand that attribute you may need to add it to the dictionary file however, another method to use is use one of the other modules - eg the PERL module , as part of authorization. its trivial to then check the NAS, the user and then assign/add new attributes. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP/EAP-TLS with client and server certificate
Hi,
I´m trying to configure freeradius with PEAP + EAP-TLS, but I´m
making some confusion to configure the radiusd.conf (sections authorize and
authentication) and eap.conf.
Have someone implemented this configuration?
In the eap.conf file the default eap type is TLS or PEAP?
What I´ve to configure in the authorize and authentication sections?
I´ve attached my conf files below.
Best Regards ...
FreeRADIUS Version 1.0.1
eap.conf
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
# Supported EAP-types
# EAP-TLS
tls {
private_key_password = xxx
private_key_file = ${raddbdir}/certs/freeradius_key.pem
certificate_file = ${raddbdir}/certs/freeradius_cert.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = tls
}
#tls {
#private_key_password = xx
#private_key_file = ${raddbdir}/certs/freeradius_key.pem
#certificate_file = ${raddbdir}/certs/freeradius_cert.pem
#CA_file = ${raddbdir}/certs/demoCA/cacert.pem
#dh_file = ${raddbdir}/certs/dh
#random_file = ${raddbdir}/certs/random
#fragment_size = 1024
#include_length = yes
#}
#mschapv2 {
#}
}
radiusd.conf (only authorize and authentication sections)
.
.
.
# Instantiation
instantiate {
}
#
authorize {
preprocess
files
mschap
eap
}
# Authentication.
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
.
.
.
Mensagem protegida por sigilo profissional. Sua utilização indevida sujeita o
infrator às penas da lei. Não sendo seu destinatário, por favor, elimine-a e
informe o equívoco ao emitente.
This e-mail message and any attachment are intended exclusively for the named
addressee. They may contain confidential information which may also be
protected by professional secrecy. Unless you are the named addressee (or
authorised to receive for the addressee) you may not copy or use this message
or any attachment or disclose the contents to anyone else. If this e-mail was
sent to you by mistake please notify the sender immediately and delete this
e-mail.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
So the big question is, what Auth-Type do I use ?
If LDAP is not permitted (still confuses me as I only need / want
radius to authenticate against LDAP) what Auth-Type do I set in the
users file so that Wireless users can authenticate using their ADS
username and passwords.
On 4/23/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Forgive the newbie questions but I think its best to clear up confusion.
client - cisco - FR server = eap
FR - ADS 2003 = pap
Is that correct or am I way off track.
On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote:
Jacob Jarick wrote:
Thanks again Alan,
For reference the oriellys LDAP book instructs you to set Auth-Type
:= LDAP so thats where I got the bad reference (perhaps other people
to).
Yes. There is a LOT of documentation (web pages, etc.) that say to do
the wrong thing. It's unfortunate that the people writing those don't
read the FreeRADIUS docs first, and don't ask us to review their
configuration.
Now lets see if I understood the tables correctly.
PAP is the only method that will support LDAP bind as user ?
It's the other way around. LDAP bind as user only works with PAP.
When Using PAP - LDAP will I still have to map userPassword to
User-Password ?
No.
I've added some more code that will go into 1.1.7 2.0. If the LDAP
module succeeds in retrieving a password from LDAP, it does NOT set
Auth-Type to LDAP.
Will there be extra configuration required on free radius to make use
of pap - ADS ldap or will it work automatically because ldap is
configured in the modules {} section.
I would ask what other authentication protocols you need to support
before suggesting to set Auth-Type to LDAP.
Wont using PAP mean plain text password from client - cisco wap -
radius - ADS server ?
No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible
with Auth-Type = LDAP.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Requesting Decent Freeradius + ADS 2003 + LDAP howto
Ok, I have read them all - the wiki's the unrelated novell howtos for edirectory bought a Oriellys book on ldap (their FR + LDAP howto is incorrect apparently) and googled countless times. The articles on http://wiki.freeradius.org/LDAP arent much help they just re-itterate whats in the config files and rlm_ldap doesnt seem to mention setting the users file. http://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/radius.html The above article instructs you to set Auth-Type =: LDAP which is wrong I have been told by alan (but what is correct then ?). I am about to start from fresh again just to make sure its not config setting I have changed and forgot to fix. But I would appreciate any good howtos others may have found and of course any answers / information you guys can provide. Thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Requesting Decent Freeradius + ADS 2003 + LDAP howto
These examples here look a bit more promising. http://vuksan.com/linux/dot1x/802-1x-LDAP.html -- Forwarded message -- From: Jacob Jarick [EMAIL PROTECTED] Date: Apr 24, 2007 9:01 AM Subject: Requesting Decent Freeradius + ADS 2003 + LDAP howto To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Ok, I have read them all - the wiki's the unrelated novell howtos for edirectory bought a Oriellys book on ldap (their FR + LDAP howto is incorrect apparently) and googled countless times. The articles on http://wiki.freeradius.org/LDAP arent much help they just re-itterate whats in the config files and rlm_ldap doesnt seem to mention setting the users file. http://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/radius.html The above article instructs you to set Auth-Type =: LDAP which is wrong I have been told by alan (but what is correct then ?). I am about to start from fresh again just to make sure its not config setting I have changed and forgot to fix. But I would appreciate any good howtos others may have found and of course any answers / information you guys can provide. Thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Requesting Decent Freeradius + ADS 2003 + LDAP howto
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS#Configuring_The_.2Fetc.2Fraddb.2Fradiusd.conf_File Another howto that instructs you to set DEFAULT Auth-Type := LDAP -- Forwarded message -- From: Jacob Jarick [EMAIL PROTECTED] Date: Apr 24, 2007 9:01 AM Subject: Requesting Decent Freeradius + ADS 2003 + LDAP howto To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Ok, I have read them all - the wiki's the unrelated novell howtos for edirectory bought a Oriellys book on ldap (their FR + LDAP howto is incorrect apparently) and googled countless times. The articles on http://wiki.freeradius.org/LDAP arent much help they just re-itterate whats in the config files and rlm_ldap doesnt seem to mention setting the users file. http://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/radius.html The above article instructs you to set Auth-Type =: LDAP which is wrong I have been told by alan (but what is correct then ?). I am about to start from fresh again just to make sure its not config setting I have changed and forgot to fix. But I would appreciate any good howtos others may have found and of course any answers / information you guys can provide. Thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Alan,
my test pc only supports PEAP over wireless and setup has to be wireless.
Removing ldap from the authenticate section causes an EAP error,
so I guess there is more configuration than simply removing /
commenting that section out.
I dont know how to not bind as a user when using FR + LDAP, no
document I have seen so far seems to cover it.
What encryption do you use for the ldap password in radius.conf ? so
that anonymous searches are not needed.
On 4/24/07, Jacob Jarick [EMAIL PROTECTED] wrote:
So the big question is, what Auth-Type do I use ?
If LDAP is not permitted (still confuses me as I only need / want
radius to authenticate against LDAP) what Auth-Type do I set in the
users file so that Wireless users can authenticate using their ADS
username and passwords.
On 4/23/07, Jacob Jarick [EMAIL PROTECTED] wrote:
Forgive the newbie questions but I think its best to clear up confusion.
client - cisco - FR server = eap
FR - ADS 2003 = pap
Is that correct or am I way off track.
On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote:
Jacob Jarick wrote:
Thanks again Alan,
For reference the oriellys LDAP book instructs you to set Auth-Type
:= LDAP so thats where I got the bad reference (perhaps other people
to).
Yes. There is a LOT of documentation (web pages, etc.) that say to do
the wrong thing. It's unfortunate that the people writing those don't
read the FreeRADIUS docs first, and don't ask us to review their
configuration.
Now lets see if I understood the tables correctly.
PAP is the only method that will support LDAP bind as user ?
It's the other way around. LDAP bind as user only works with PAP.
When Using PAP - LDAP will I still have to map userPassword to
User-Password ?
No.
I've added some more code that will go into 1.1.7 2.0. If the LDAP
module succeeds in retrieving a password from LDAP, it does NOT set
Auth-Type to LDAP.
Will there be extra configuration required on free radius to make use
of pap - ADS ldap or will it work automatically because ldap is
configured in the modules {} section.
I would ask what other authentication protocols you need to support
before suggesting to set Auth-Type to LDAP.
Wont using PAP mean plain text password from client - cisco wap -
radius - ADS server ?
No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible
with Auth-Type = LDAP.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + ADS 2003 + ntlm_auth
radius -X -f: http://pastebin.ca/455389 config files: Hello All, I have gone back to ntlm_auth for the time being instead of ldap due to the incredibly frustrating lack of good documentation (if there are good docs, link it or shutup). None of the howtos/ tutorials I have followed end in success its always some ldap error of some kind. At least 1/2 the FR + LDAP howtos say to set DEFAULT Auth-Type := LDAP which I have been told by Alan is incorrect. I followed Alans Active Directory Intergation tutorial and everything is setup as the guide says, But eap fails with this message: rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. I had this the 1st time I followed the pdf but I did find another howto that said to add something else and that got it working, but for the life of me I cant find it again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + ADS 2003 + ntlm_auth (including config files)
radius -X -f: http://pastebin.ca/455389 config files: http://rapidshare.com/files/27607850/config.tgz.html Hello All, I have gone back to ntlm_auth for the time being instead of ldap due to the incredibly frustrating lack of good documentation (if there are good docs, link it or shutup). None of the howtos/ tutorials I have followed end in success its always some ldap error of some kind. At least 1/2 the FR + LDAP howtos say to set DEFAULT Auth-Type := LDAP which I have been told by Alan is incorrect. I followed Alans Active Directory Intergation tutorial and everything is setup as the guide says, But eap fails with this message: rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. I had this the 1st time I followed the pdf but I did find another howto that said to add something else and that got it working, but for the life of me I cant find it again. On another note Id like to volenteer to help update some of the documentation out there on FR, some is horribly out of date and makes for a very frustrating introduction for people. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add a secondary ldap server to radiusd.conf
On 23 Apr 2007 at 11:18, Kostas Kalevras wrote: O/H Hubert Kupper : Hello, how can I add a secondary ldap server to radiusd.conf for failover? Just create a second ldap module instance with the secondary ldap server configuration and read doc/configurable_failover Thanks! I have 2 ldap module instances and will add 2 instances with the secondary ldap server. Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
