Re: Enabling / disabling active directory users
Correct me if I am wrong, that would mean i'd have to use ldap as my connection between the freeradius server and the Win2008 RC2 AD instead of my existing ntlm_auth connection ? Iain __ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). __- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Enabling / disabling active directory users
We have on site a Windows 2008 RC2 domain controller ( 64-bit ) which I have a linux based freeradius server hanging from. My question is, other than changing the users file on the freeradius server, is there another way of disabling a user from authentication through the radius server but still allow them access via the active directory route. So for example, a user can log in quite happily on site using their windows machine. If they go offsite and try authentication via the radius server they will not be allowed. Does active directory have a flag or something that can be set against the user account to deny access via a radius link. Thanks Iain __ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). __- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.7 mschap2 depreciated condition
I am trying to build a radius server on a Licencesed RedHat ES 5.5 with the stock Freeradius 2.1.7 rpms. The problem is %{Stripped-User-Name} does not seem to be working properly. If I run radius -X I can see the following [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for ouru...@scri.ac.uk with NT-Password [mschap]expand: %{Stripped-User-Name} - [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap]expand: %{User-Name:-None} - ouru...@scri.ac.uk [mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} - --username=ouru...@scri.ac.uk [mschap] No NT-Domain was found in the User-Name. [mschap]expand: %{mschap:NT-Domain} - [mschap]expand: --domain=%{%{mschap:NT-Domain}:-OURDOMAIN} - --domain=OURDOMAIN [mschap] mschap2: 04 [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=13b2ecc29de42369 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=f55853d43f231f154755ce89ca3136f13929f36d728dbfd9 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Note : I've changed the username and domain name in the above. Is this fixable with a configuration file ? I have already got a working Centos 5.5 server using freereadius 2.1.8, but I want to move it to RedHat too match all the other infrastructure servers. Also I'm writing a build document for the system so that someone else has a document to follow in the future. Thanks iain Iain Grant Linux System Administrator Scottish Crop Research Institute Invergowrie Dundee DD2 5DA Tel : 01382 562731 x 2605 __ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). __- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius-Users Digest, Vol 61, Issue 37
The problem is %{Stripped-User-Name} does not seem to be working properly. here was a chhange to conditional expansions some time backthe output you see is just a warningif you 'man unlang' you can see how such a condition should be written.the default config that ships with 2.1.8 should have this fixedbut just check your modules/* files for where this is used... mschapv2 or ntlm_auth from memory This is strange as I have compared the modules/mschap files on both systems ( radius 2.1.8 on centos and radius 2.1.7 on RH ES 5.5 ) and they are identical !!! In fact I even cut and pasted the ntlm line from the working radius to the redhat radius server. Has someone else built a RedHat radius 2.1.7 server to point to an Windows ADS ?? Thanks Iain __ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.7 mschap2 depreciated condition
Solved it, I had not added my realms to the bottom of proxy.conf. Once changed everything is working. Thanks iain __ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding a signed certificate from a signing authority
Apologies I seem to be hogging this today. My radius server is working fine, so now I want to add a signed certificate from a certificate authority. Are there any pointers on how to do this. I have found and carried out the steps on the wiki site around using snake oil certificates and then creating your own producution certificates. But I now would like to add the externally signed certificate for added security. Thanks again Iain __ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). __- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Talking to Windows 2003 AD
Firstly I am new to FreeRadius and am configuring my first radius server to talk to our Windows 2003 AD. I have intalled and configured FreeRadius 2.1.8 to talk to the AD as documented in various tutorials on the internet. Initially I had configured the connection between the Freeradius server and our Windows 2003 Active directory using ntlm_auth. Using the command line ntlm_auth --request-nt-key --domain=your domain --username= your username comes back with NT_STATUS_OK : Success (0x0) Which is what i would expect as a valid username and password. Now when I go to the next step and enable this in /etc/raddb/modules/mschap ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username==%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-OURDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Our active directory server does comes back with an error. When I look at the server log on our AD it shows Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 680 Date: 17/03/2010 Time: 13:35:51 User: NT AUTHORITY\SYSTEM Computer: DCB Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: =radius_user Source Workstation:\\radius_server Error Code:0xC064 When I google the windows error code I get Error code: 0xC064 - This error code can occur if a server is configured to Require NTLMv2 Session Security and the client either is configured to not use it or is unable to negotiate it (e.g., Altiris DOS network boot stuff). I know our server is configured for NTLMv2 and not V1. Any ideas on how I can resolve this issue ? I cannot understand why running the command works and using the line in MSCHAP fails ? __ SCRI, Invergowrie, Dundee, DD2 5DA. The Scottish Crop Research Institute is a charitable company limited by guarantee. Registered in Scotland No: SC 29367. Recognised by the Inland Revenue as a Scottish Charity No: SC 006662. DISCLAIMER: This email is from the Scottish Crop Research Institute, but the views expressed by the sender are not necessarily the views of SCRI and its subsidiaries. This email and any files transmitted with it are confidential to the intended recipient at the e-mail address to which it has been addressed. It may not be disclosed or used by any other than that addressee. If you are not the intended recipient you are requested to preserve this confidentiality and you must not use, disclose, copy, print or rely on this e-mail in any way. Please notify postmas...@scri.ac.uk quoting the name of the sender and delete the email from your system. Although SCRI has taken reasonable precautions to ensure no viruses are present in this email, neither the Institute nor the sender accepts any responsibility for any viruses, and it is your responsibility to scan the email and the attachments (if any). __- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html