Re: Help connecting to remote ldap server
On 24/06/10 17:33, John Dennis wrote:
On 06/24/2010 12:21 PM, Raymond Norton wrote:
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
You don't have the userPassword mapped in /etc/raddb/ldap.attrmap
But even if you did, ldap has this:
userPassword:: e1NIQX13ak83dXhlS3FYR0NFVlhPTEVzVUo4OW9DWFE9
:: = base64-encoded
i.e. above is equivalent to:
userPassword: {SHA}wjO7uxeKqXGCEVXOLEsUJ89oCXQ=
...and is merely an LDIF convention.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP - AD Disabled
Okay, I've had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the PEAP-AD portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a Login incorrect when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP - AD Disabled
Have you checked the certificate? That's one major difference. ntlm-auth is the auth after the cert conversation in PEAP is done. Maybe a radiusd -X log to help us along? From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Friday, June 25, 2010 8:22 AM To: 'FreeRadius users mailing list' Subject: PEAP - AD Disabled Okay, I've had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the PEAP-AD portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a Login incorrect when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP - AD Disabled
On 25/06/10 14:21, Nathan McDavit-Van Fleet wrote: Okay, I’ve had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the “PEAP-AD” portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven’t found any interesting log information. You just get a “Login incorrect” when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Permissions? Including unix perms on the winbind socket, and perhaps SELinux labelling. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP - AD Disabled
Isn't the same certificate used in the TLS tunnel for TTLS? Anyhow, it appears to be something to do with the person who configed Samba. They clustered the servers and the privileges changes in /var/cache/samba/winbind_privileged. That directory has been one of the biggest problems we've had so far. Thanks, Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 -Original Message- From: freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of Danner, Mearl Sent: Friday, June 25, 2010 9:34 AM To: FreeRadius users mailing list Subject: RE: PEAP - AD Disabled Have you checked the certificate? That's one major difference. ntlm- auth is the auth after the cert conversation in PEAP is done. Maybe a radiusd -X log to help us along? From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Friday, June 25, 2010 8:22 AM To: 'FreeRadius users mailing list' Subject: PEAP - AD Disabled Okay, I've had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the PEAP-AD portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a Login incorrect when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + ldap
Hi, I installed freeradius and configured it with LDAP and installed pptp also in debian lenny. I can login to radius server from windows and I have VPN connection and internet. Now I want to restrict my VPN users' bandwidth and internet charge(for example 4G charge for each user), but I don't know how to do it with freeradius+LDAP. I would be grateful if you can answer me as soon as possible. Regards, Raoufnezhad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP issue
I am having EAP issues with MSCHAPv2 packets. Does this output point to
misconfiguration of FR or a NAS issue or both?
Fri Jun 25 10:42:30 2010 : Info: ++[pap] returns noop
Fri Jun 25 10:42:30 2010 : Info: Found Auth-Type = MSCHAP
Fri Jun 25 10:42:30 2010 : Info: +- entering group MS-CHAP {...}
Fri Jun 25 10:42:30 2010 : Info: [mschap] Told to do MS-CHAPv2 for
0010e7415...@wimax.com with NT-Password
Fri Jun 25 10:42:30 2010 : Info: [mschap] FAILED: MS-CHAP2-Response is
incorrect
Fri Jun 25 10:42:30 2010 : Info: ++[mschap] returns reject
Fri Jun 25 10:42:30 2010 : Info: Failed to authenticate the user.
} # server inner-tunnel
Fri Jun 25 10:42:30 2010 : Info: [ttls] Got tunneled reply code 3
Framed-Filter-Id = SP=sp1:MSF=msf1;
Session-Timeout = 4200
MS-CHAP-Error = LE=691 R=1
Fri Jun 25 10:42:30 2010 : Info: [ttls] Got tunneled Access-Reject
Fri Jun 25 10:42:30 2010 : Info: [eap] Handler failed in EAP/ttls
Fri Jun 25 10:42:30 2010 : Info: [eap] Failed in EAP select
Fri Jun 25 10:42:30 2010 : Info: ++[eap] returns invalid
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP issue
On 25/06/10 15:44, David Peterson wrote: I am having EAP issues with MSCHAPv2 packets. Does this output point to misconfiguration of FR or a NAS issue or both? Since you trimmed the debug output, it's impossible to be sure, but it points to the password on the client and server not being the same. Fri Jun 25 10:42:30 2010 : Info: [mschap] Told to do MS-CHAPv2 for 0010e7415...@wimax.com with NT-Password Fri Jun 25 10:42:30 2010 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP with LDAP and PEAP/MSCHANPv2 with ntlm_auth
On 24/06/10 11:03, Alan DeKok wrote:
Neil Prockter wrote:
I have a working config for PAP with LDAP against AD and a working
config for PEAP/MSCHANPv2 with ntlm_auth.
I need the server to do both but when I combine the configs one thing or
another breaks.
And debug output says... ?
this is a config that works for PAP/LDAP but not PEAP/MSCHANPv2
Info: FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on
Jan 5 2010 at 02:56:18
Info: Copyright (C) 1999-2009 The FreeRADIUS server project and
contributors.
Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Info: PARTICULAR PURPOSE.
Info: You may redistribute copies of FreeRADIUS under the terms of the
Info: GNU General Public License v2.
Info: Starting - reading configuration files ...
Debug: including configuration file /etc/freeradius/radiusd.conf
Debug: including configuration file /etc/freeradius/proxy.conf
Debug: including configuration file /etc/freeradius/clients.conf
Debug: including files in directory /etc/freeradius/modules/
Debug: including configuration file /etc/freeradius/modules/exec
Debug: including configuration file /etc/freeradius/modules/radutmp
Debug: including configuration file /etc/freeradius/modules/expiration
Debug: including configuration file /etc/freeradius/modules/files
Debug: including configuration file /etc/freeradius/modules/attr_filter
Debug: including configuration file /etc/freeradius/modules/ippool
Debug: including configuration file /etc/freeradius/modules/etc_group
Debug: including configuration file /etc/freeradius/modules/counter
Debug: including configuration file /etc/freeradius/modules/realm
Debug: including configuration file /etc/freeradius/modules/detail.log
Debug: including configuration file /etc/freeradius/modules/wimax
Debug: including configuration file /etc/freeradius/modules/policy
Debug: including configuration file
/etc/freeradius/modules/detail.example.com
Debug: including configuration file /etc/freeradius/modules/linelog
Debug: including configuration file /etc/freeradius/modules/passwd
Debug: including configuration file /etc/freeradius/modules/preprocess
Debug: including configuration file /etc/freeradius/modules/perl
Debug: including configuration file /etc/freeradius/modules/mac2vlan
Debug: including configuration file /etc/freeradius/modules/sql_log
Debug: including configuration file /etc/freeradius/modules/acct_unique
Debug: including configuration file /etc/freeradius/modules/smbpasswd
Debug: including configuration file /etc/freeradius/modules/pap
Debug: including configuration file /etc/freeradius/modules/cui
Debug: including configuration file /etc/freeradius/modules/smsotp
Debug: including configuration file /etc/freeradius/modules/sradutmp
Debug: including configuration file /etc/freeradius/modules/always
Debug: including configuration file /etc/freeradius/modules/inner-eap
Debug: including configuration file /etc/freeradius/modules/attr_rewrite
Debug: including configuration file /etc/freeradius/modules/expr
Debug: including configuration file /etc/freeradius/modules/krb5
Debug: including configuration file /etc/freeradius/modules/chap
Debug: including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
Debug: including configuration file /etc/freeradius/modules/checkval
Debug: including configuration file /etc/freeradius/modules/otp
Debug: including configuration file /etc/freeradius/modules/digest
Debug: including configuration file /etc/freeradius/modules/ldap
Debug: including configuration file /etc/freeradius/modules/ntlm_auth
Debug: including configuration file /etc/freeradius/modules/mschap
Debug: including configuration file /etc/freeradius/modules/echo
Debug: including configuration file /etc/freeradius/modules/logintime
Debug: including configuration file /etc/freeradius/modules/detail
Debug: including configuration file /etc/freeradius/modules/pam
Debug: including configuration file /etc/freeradius/modules/mac2ip
Debug: including configuration file /etc/freeradius/modules/unix
Debug: including configuration file /etc/freeradius/eap.conf
Debug: including configuration file /etc/freeradius/policy.conf
Debug: including files in directory /etc/freeradius/sites-enabled/
Debug: including configuration file
/etc/freeradius/sites-enabled/inner-tunnel
Debug: including configuration file /etc/freeradius/sites-enabled/default
Debug: main {
Debug: user = freerad
Debug: group = freerad
Debug: allow_core_dumps = no
Debug: }
Debug: including dictionary file /etc/freeradius/dictionary
Debug: main {
Debug: prefix = /usr
Debug: localstatedir = /var
Debug: logdir = /var/log/freeradius
Debug: libdir = /usr/lib/freeradius
Debug: radacctdir = /var/log/freeradius/radacct
Debug: hostname_lookups = no
Debug: max_request_time = 30
Debug: cleanup_delay = 5
Debug: max_requests = 1024
Debug: pidfile = /var/run/freeradius/freeradius.pid
Debug: checkrad = /usr/sbin/checkrad
Debug: debug_level = 0
Debug: proxy_requests = yes
chroot
I read the appropriate section in radiusd.conf, but I don't know what needs to be in whatever folder I'm pointing the config to. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP with LDAP and PEAP/MSCHANPv2 with ntlm_auth
Neil Prockter wrote: this is a config that works for PAP/LDAP but not PEAP/MSCHANPv2 Change the version of Samba. From eap.conf: # If is still doesn't work, and you're using Samba, # you may be encountering a Samba bug. See: # # https://bugzilla.samba.org/show_bug.cgi?id=6563 # # Note that we do not necessarily agree with their # explanation... but the fix does appear to work. # Note that this problem *never* appears if the Cleartext-Password is available to FreeRADIUS. It *only* happens when Samba is being used. Try this for yourself. Configure a Cleartext-Password in the users file for a test user, and disable ntlm_auth. If PEAP/MSCHAPv2 works, then the problem is Samba, not FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help connecting to remote ldap server
Got things working (yeah!) Had to reset the users password with ldappassword. For some reason freeradius couldn't read what was exported to the ldif file. Once I changed passwords with ldappassword, radtest and WPA worked perfectly. Also had to comment out this line in /etc/ldap/slapd.conf: #access to attrs=userPassword Thanks for the help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help connecting to remote ldap server
On Fri, Jun 25, 2010 at 05:54:38PM -0500, Raymond Norton wrote: Got things working (yeah!) Had to reset the users password with ldappassword. For some reason freeradius couldn't read what was exported to the ldif file. Once I changed passwords with ldappassword, radtest and WPA worked perfectly. Also had to comment out this line in /etc/ldap/slapd.conf: #access to attrs=userPassword This is what happens when people mess with passwords... now who knows who else can read them. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help connecting to remote ldap server
On 06/25/2010 06:54 PM, Raymond Norton wrote: Got things working (yeah!) Had to reset the users password with ldappassword. For some reason freeradius couldn't read what was exported to the ldif file. Once I changed passwords with ldappassword, radtest and WPA worked perfectly. Also had to comment out this line in /etc/ldap/slapd.conf: #access to attrs=userPassword That's very scary. You really want passwords protected by an ACL, otherwise they're available to the world. This link gives some examples on ACL protection of the userPassword attribute, I'm sure there is other documentation. http://www.zytrax.com/books/ldap/ch6/ -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
