Re: Enabling / disabling active directory users
Correct me if I am wrong, that would mean i'd have to use ldap as my connection between the freeradius server and the Win2008 RC2 AD instead of my existing ntlm_auth connection ? Iain __ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). __- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Enabling / disabling active directory users
We have on site a Windows 2008 RC2 domain controller ( 64-bit ) which I have a linux based freeradius server hanging from. My question is, other than changing the users file on the freeradius server, is there another way of disabling a user from authentication through the radius server but still allow them access via the active directory route. So for example, a user can log in quite happily on site using their windows machine. If they go offsite and try authentication via the radius server they will not be allowed. Does active directory have a flag or something that can be set against the user account to deny access via a radius link. Thanks Iain __ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). __- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.7 mschap2 depreciated condition
I am trying to build a radius server on a Licencesed RedHat ES 5.5 with
the stock Freeradius 2.1.7 rpms.
The problem is %{Stripped-User-Name} does not seem to be working
properly.
If I run radius -X I can see the following
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for ouru...@scri.ac.uk with NT-Password
[mschap]expand: %{Stripped-User-Name} -
[mschap] WARNING: Deprecated conditional expansion :-. See man
unlang for details
[mschap]expand: %{User-Name:-None} - ouru...@scri.ac.uk
[mschap]expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -
--username=ouru...@scri.ac.uk
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: %{mschap:NT-Domain} -
[mschap]expand: --domain=%{%{mschap:NT-Domain}:-OURDOMAIN} -
--domain=OURDOMAIN
[mschap] mschap2: 04
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=13b2ecc29de42369
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=f55853d43f231f154755ce89ca3136f13929f36d728dbfd9
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Note : I've changed the username and domain name in the above.
Is this fixable with a configuration file ?
I have already got a working Centos 5.5 server using freereadius 2.1.8,
but I want to move it to RedHat too match all the other infrastructure
servers.
Also I'm writing a build document for the system so that someone else
has a document to follow in the future.
Thanks
iain
Iain Grant
Linux System Administrator
Scottish Crop Research Institute
Invergowrie
Dundee DD2 5DA
Tel : 01382 562731 x 2605
__
SCRI, Invergowrie, Dundee, DD2 5DA.
The Scottish Crop Research Institute is a charitable company limited by
guarantee.
Registered in Scotland No: SC 29367.
Recognised by the Inland Revenue as a Scottish Charity No: SC 006662.
DISCLAIMER:
This email is from the Scottish Crop Research Institute, but the views
expressed by the sender are not necessarily the views of SCRI and its
subsidiaries. This email and any files transmitted with it are confidential to
the intended recipient at the e-mail address to which it has been addressed.
It may not be disclosed or used by any other than that addressee.
If you are not the intended recipient you are requested to preserve this
confidentiality and you must not use, disclose, copy, print or rely on this
e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the
sender and delete the email from your system.
Although SCRI has taken reasonable precautions to ensure no viruses are present
in this email, neither the Institute nor the sender accepts any responsibility
for any viruses, and it is your responsibility to scan the email and the
attachments (if any).
__-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 61, Issue 37
The problem is %{Stripped-User-Name} does not seem to be working
properly.
here was a chhange to conditional expansions some time backthe
output you see is just a warningif you 'man unlang' you can see how
such a condition should be written.the default config that ships
with 2.1.8 should have this fixedbut just check your modules/*
files for where this is used... mschapv2 or ntlm_auth from memory
This is strange as I have compared the modules/mschap files on both
systems ( radius 2.1.8 on centos and radius 2.1.7 on RH ES 5.5 ) and
they are identical !!!
In fact I even cut and pasted the ntlm line from the working radius to
the redhat radius server.
Has someone else built a RedHat radius 2.1.7 server to point to an
Windows ADS ??
Thanks
Iain
__
SCRI, Invergowrie, Dundee, DD2 5DA.
The Scottish Crop Research Institute is a charitable company limited by
guarantee.
Registered in Scotland No: SC 29367.
Recognised by the Inland Revenue as a Scottish Charity No: SC 006662.
DISCLAIMER:
This email is from the Scottish Crop Research Institute, but the views
expressed by the sender are not necessarily the views of SCRI and its
subsidiaries. This email and any files transmitted with it are confidential to
the intended recipient at the e-mail address to which it has been addressed.
It may not be disclosed or used by any other than that addressee.
If you are not the intended recipient you are requested to preserve this
confidentiality and you must not use, disclose, copy, print or rely on this
e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the
sender and delete the email from your system.
Although SCRI has taken reasonable precautions to ensure no viruses are present
in this email, neither the Institute nor the sender accepts any responsibility
for any viruses, and it is your responsibility to scan the email and the
attachments (if any).
__
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.7 mschap2 depreciated condition
Solved it, I had not added my realms to the bottom of proxy.conf. Once changed everything is working. Thanks iain __ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding a signed certificate from a signing authority
Apologies I seem to be hogging this today. My radius server is working fine, so now I want to add a signed certificate from a certificate authority. Are there any pointers on how to do this. I have found and carried out the steps on the wiki site around using snake oil certificates and then creating your own producution certificates. But I now would like to add the externally signed certificate for added security. Thanks again Iain __ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). __- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Talking to Windows 2003 AD
Firstly I am new to FreeRadius and am configuring my first radius server
to talk to our Windows 2003 AD.
I have intalled and configured FreeRadius 2.1.8 to talk to the AD as
documented in various tutorials on the internet.
Initially I had configured the connection between the Freeradius server
and our Windows 2003 Active directory using ntlm_auth.
Using the command line
ntlm_auth --request-nt-key --domain=your domain --username=
your username
comes back with
NT_STATUS_OK : Success (0x0)
Which is what i would expect as a valid username and password.
Now when I go to the next step and enable this in
/etc/raddb/modules/mschap
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username==%{%{Stripped-User-Name}:-%{User-Name:-None}}
--domain=%{%{mschap:NT-Domain}:-OURDOMAIN}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
Our active directory server does comes back with an error. When I look
at the server log on our AD it shows
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 17/03/2010
Time: 13:35:51
User: NT AUTHORITY\SYSTEM
Computer: DCB
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: =radius_user
Source Workstation:\\radius_server
Error Code:0xC064
When I google the windows error code I get
Error code: 0xC064 - This error code can occur if a server is
configured to Require NTLMv2 Session Security and the client either is
configured to not use it or is unable to negotiate it (e.g., Altiris DOS
network boot stuff).
I know our server is configured for NTLMv2 and not V1.
Any ideas on how I can resolve this issue ?
I cannot understand why running the command works and using the line in
MSCHAP fails ?
__
SCRI, Invergowrie, Dundee, DD2 5DA.
The Scottish Crop Research Institute is a charitable company limited by
guarantee.
Registered in Scotland No: SC 29367.
Recognised by the Inland Revenue as a Scottish Charity No: SC 006662.
DISCLAIMER:
This email is from the Scottish Crop Research Institute, but the views
expressed by the sender are not necessarily the views of SCRI and its
subsidiaries. This email and any files transmitted with it are confidential to
the intended recipient at the e-mail address to which it has been addressed.
It may not be disclosed or used by any other than that
addressee.
If you are not the intended recipient you are requested to preserve this
confidentiality and you must not use, disclose, copy, print or rely on this
e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the
sender and delete the email from your system.
Although SCRI has taken reasonable precautions to ensure no viruses are present
in this email, neither the Institute nor the sender accepts any responsibility
for any viruses, and it is your responsibility to scan the email and the
attachments (if any).
__-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
