Re: Help connecting to remote ldap server
On 24/06/10 17:33, John Dennis wrote: On 06/24/2010 12:21 PM, Raymond Norton wrote: [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? You don't have the userPassword mapped in /etc/raddb/ldap.attrmap But even if you did, ldap has this: userPassword:: e1NIQX13ak83dXhlS3FYR0NFVlhPTEVzVUo4OW9DWFE9 :: = base64-encoded i.e. above is equivalent to: userPassword: {SHA}wjO7uxeKqXGCEVXOLEsUJ89oCXQ= ...and is merely an LDIF convention. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP - AD Disabled
Okay, I've had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the PEAP-AD portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a Login incorrect when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP - AD Disabled
Have you checked the certificate? That's one major difference. ntlm-auth is the auth after the cert conversation in PEAP is done. Maybe a radiusd -X log to help us along? From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Friday, June 25, 2010 8:22 AM To: 'FreeRadius users mailing list' Subject: PEAP - AD Disabled Okay, I've had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the PEAP-AD portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a Login incorrect when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP - AD Disabled
On 25/06/10 14:21, Nathan McDavit-Van Fleet wrote: Okay, I’ve had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the “PEAP-AD” portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven’t found any interesting log information. You just get a “Login incorrect” when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Permissions? Including unix perms on the winbind socket, and perhaps SELinux labelling. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP - AD Disabled
Isn't the same certificate used in the TLS tunnel for TTLS? Anyhow, it appears to be something to do with the person who configed Samba. They clustered the servers and the privileges changes in /var/cache/samba/winbind_privileged. That directory has been one of the biggest problems we've had so far. Thanks, Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 -Original Message- From: freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org [mailto:freeradius-users- bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of Danner, Mearl Sent: Friday, June 25, 2010 9:34 AM To: FreeRadius users mailing list Subject: RE: PEAP - AD Disabled Have you checked the certificate? That's one major difference. ntlm- auth is the auth after the cert conversation in PEAP is done. Maybe a radiusd -X log to help us along? From: freeradius-users- bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius- users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Nathan McDavit-Van Fleet Sent: Friday, June 25, 2010 8:22 AM To: 'FreeRadius users mailing list' Subject: PEAP - AD Disabled Okay, I've had a working config with the following for the past month. TTLS-LDAP PEAP-AD PEAP-Local Users File After a month running everything perfectly, 3 days ago the PEAP-AD portion of the AAA failed. This is for wireless auth. Strangely, I can still auth from the CLI using ntlm_auth and wbinfo. So it appears as if the Samba connection to the AD is fine. Nothing has changed config wise between then and now, and I haven't found any interesting log information. You just get a Login incorrect when you try to login via PEAP-AD. Everything else is verified as working. Aside from Freeradius itself, what are the differences between using ntlm_auth via CLI and via Freeradius? Nathan Van Fleet Telecommunications Analyst Network Assessment and Integration IITS Concordia University (514) 848-2424 Extension:5434 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + ldap
Hi, I installed freeradius and configured it with LDAP and installed pptp also in debian lenny. I can login to radius server from windows and I have VPN connection and internet. Now I want to restrict my VPN users' bandwidth and internet charge(for example 4G charge for each user), but I don't know how to do it with freeradius+LDAP. I would be grateful if you can answer me as soon as possible. Regards, Raoufnezhad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP issue
I am having EAP issues with MSCHAPv2 packets. Does this output point to misconfiguration of FR or a NAS issue or both? Fri Jun 25 10:42:30 2010 : Info: ++[pap] returns noop Fri Jun 25 10:42:30 2010 : Info: Found Auth-Type = MSCHAP Fri Jun 25 10:42:30 2010 : Info: +- entering group MS-CHAP {...} Fri Jun 25 10:42:30 2010 : Info: [mschap] Told to do MS-CHAPv2 for 0010e7415...@wimax.com with NT-Password Fri Jun 25 10:42:30 2010 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect Fri Jun 25 10:42:30 2010 : Info: ++[mschap] returns reject Fri Jun 25 10:42:30 2010 : Info: Failed to authenticate the user. } # server inner-tunnel Fri Jun 25 10:42:30 2010 : Info: [ttls] Got tunneled reply code 3 Framed-Filter-Id = SP=sp1:MSF=msf1; Session-Timeout = 4200 MS-CHAP-Error = LE=691 R=1 Fri Jun 25 10:42:30 2010 : Info: [ttls] Got tunneled Access-Reject Fri Jun 25 10:42:30 2010 : Info: [eap] Handler failed in EAP/ttls Fri Jun 25 10:42:30 2010 : Info: [eap] Failed in EAP select Fri Jun 25 10:42:30 2010 : Info: ++[eap] returns invalid David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP issue
On 25/06/10 15:44, David Peterson wrote: I am having EAP issues with MSCHAPv2 packets. Does this output point to misconfiguration of FR or a NAS issue or both? Since you trimmed the debug output, it's impossible to be sure, but it points to the password on the client and server not being the same. Fri Jun 25 10:42:30 2010 : Info: [mschap] Told to do MS-CHAPv2 for 0010e7415...@wimax.com with NT-Password Fri Jun 25 10:42:30 2010 : Info: [mschap] FAILED: MS-CHAP2-Response is incorrect - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP with LDAP and PEAP/MSCHANPv2 with ntlm_auth
On 24/06/10 11:03, Alan DeKok wrote: Neil Prockter wrote: I have a working config for PAP with LDAP against AD and a working config for PEAP/MSCHANPv2 with ntlm_auth. I need the server to do both but when I combine the configs one thing or another breaks. And debug output says... ? this is a config that works for PAP/LDAP but not PEAP/MSCHANPv2 Info: FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 5 2010 at 02:56:18 Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Info: PARTICULAR PURPOSE. Info: You may redistribute copies of FreeRADIUS under the terms of the Info: GNU General Public License v2. Info: Starting - reading configuration files ... Debug: including configuration file /etc/freeradius/radiusd.conf Debug: including configuration file /etc/freeradius/proxy.conf Debug: including configuration file /etc/freeradius/clients.conf Debug: including files in directory /etc/freeradius/modules/ Debug: including configuration file /etc/freeradius/modules/exec Debug: including configuration file /etc/freeradius/modules/radutmp Debug: including configuration file /etc/freeradius/modules/expiration Debug: including configuration file /etc/freeradius/modules/files Debug: including configuration file /etc/freeradius/modules/attr_filter Debug: including configuration file /etc/freeradius/modules/ippool Debug: including configuration file /etc/freeradius/modules/etc_group Debug: including configuration file /etc/freeradius/modules/counter Debug: including configuration file /etc/freeradius/modules/realm Debug: including configuration file /etc/freeradius/modules/detail.log Debug: including configuration file /etc/freeradius/modules/wimax Debug: including configuration file /etc/freeradius/modules/policy Debug: including configuration file /etc/freeradius/modules/detail.example.com Debug: including configuration file /etc/freeradius/modules/linelog Debug: including configuration file /etc/freeradius/modules/passwd Debug: including configuration file /etc/freeradius/modules/preprocess Debug: including configuration file /etc/freeradius/modules/perl Debug: including configuration file /etc/freeradius/modules/mac2vlan Debug: including configuration file /etc/freeradius/modules/sql_log Debug: including configuration file /etc/freeradius/modules/acct_unique Debug: including configuration file /etc/freeradius/modules/smbpasswd Debug: including configuration file /etc/freeradius/modules/pap Debug: including configuration file /etc/freeradius/modules/cui Debug: including configuration file /etc/freeradius/modules/smsotp Debug: including configuration file /etc/freeradius/modules/sradutmp Debug: including configuration file /etc/freeradius/modules/always Debug: including configuration file /etc/freeradius/modules/inner-eap Debug: including configuration file /etc/freeradius/modules/attr_rewrite Debug: including configuration file /etc/freeradius/modules/expr Debug: including configuration file /etc/freeradius/modules/krb5 Debug: including configuration file /etc/freeradius/modules/chap Debug: including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login Debug: including configuration file /etc/freeradius/modules/checkval Debug: including configuration file /etc/freeradius/modules/otp Debug: including configuration file /etc/freeradius/modules/digest Debug: including configuration file /etc/freeradius/modules/ldap Debug: including configuration file /etc/freeradius/modules/ntlm_auth Debug: including configuration file /etc/freeradius/modules/mschap Debug: including configuration file /etc/freeradius/modules/echo Debug: including configuration file /etc/freeradius/modules/logintime Debug: including configuration file /etc/freeradius/modules/detail Debug: including configuration file /etc/freeradius/modules/pam Debug: including configuration file /etc/freeradius/modules/mac2ip Debug: including configuration file /etc/freeradius/modules/unix Debug: including configuration file /etc/freeradius/eap.conf Debug: including configuration file /etc/freeradius/policy.conf Debug: including files in directory /etc/freeradius/sites-enabled/ Debug: including configuration file /etc/freeradius/sites-enabled/inner-tunnel Debug: including configuration file /etc/freeradius/sites-enabled/default Debug: main { Debug: user = freerad Debug: group = freerad Debug: allow_core_dumps = no Debug: } Debug: including dictionary file /etc/freeradius/dictionary Debug: main { Debug: prefix = /usr Debug: localstatedir = /var Debug: logdir = /var/log/freeradius Debug: libdir = /usr/lib/freeradius Debug: radacctdir = /var/log/freeradius/radacct Debug: hostname_lookups = no Debug: max_request_time = 30 Debug: cleanup_delay = 5 Debug: max_requests = 1024 Debug: pidfile = /var/run/freeradius/freeradius.pid Debug: checkrad = /usr/sbin/checkrad Debug: debug_level = 0 Debug: proxy_requests = yes
chroot
I read the appropriate section in radiusd.conf, but I don't know what needs to be in whatever folder I'm pointing the config to. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP with LDAP and PEAP/MSCHANPv2 with ntlm_auth
Neil Prockter wrote: this is a config that works for PAP/LDAP but not PEAP/MSCHANPv2 Change the version of Samba. From eap.conf: # If is still doesn't work, and you're using Samba, # you may be encountering a Samba bug. See: # # https://bugzilla.samba.org/show_bug.cgi?id=6563 # # Note that we do not necessarily agree with their # explanation... but the fix does appear to work. # Note that this problem *never* appears if the Cleartext-Password is available to FreeRADIUS. It *only* happens when Samba is being used. Try this for yourself. Configure a Cleartext-Password in the users file for a test user, and disable ntlm_auth. If PEAP/MSCHAPv2 works, then the problem is Samba, not FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help connecting to remote ldap server
Got things working (yeah!) Had to reset the users password with ldappassword. For some reason freeradius couldn't read what was exported to the ldif file. Once I changed passwords with ldappassword, radtest and WPA worked perfectly. Also had to comment out this line in /etc/ldap/slapd.conf: #access to attrs=userPassword Thanks for the help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help connecting to remote ldap server
On Fri, Jun 25, 2010 at 05:54:38PM -0500, Raymond Norton wrote: Got things working (yeah!) Had to reset the users password with ldappassword. For some reason freeradius couldn't read what was exported to the ldif file. Once I changed passwords with ldappassword, radtest and WPA worked perfectly. Also had to comment out this line in /etc/ldap/slapd.conf: #access to attrs=userPassword This is what happens when people mess with passwords... now who knows who else can read them. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help connecting to remote ldap server
On 06/25/2010 06:54 PM, Raymond Norton wrote: Got things working (yeah!) Had to reset the users password with ldappassword. For some reason freeradius couldn't read what was exported to the ldif file. Once I changed passwords with ldappassword, radtest and WPA worked perfectly. Also had to comment out this line in /etc/ldap/slapd.conf: #access to attrs=userPassword That's very scary. You really want passwords protected by an ACL, otherwise they're available to the world. This link gives some examples on ACL protection of the userPassword attribute, I'm sure there is other documentation. http://www.zytrax.com/books/ldap/ch6/ -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html