RE: freeradius against AD authentication not working
You have the supplicant incorrectly configured.
You can also try in radius.conf:
with_ntdomain_hack=yes
--
Chris Liles
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karthik R
Sent: Tuesday, October 31, 2006 6:32 PM
To: freeradius-users@lists.freeradius.org
Subject: freeradius against AD authentication not working
Running Freeradius v1.1.1 on a RHEL 4 box and trying to authenticate the WiFi
users against windows 2003 active directory using EAP-MSCHAPv2. I was able to
join the linux box to windows domain successfully and able to read the users
and groups from AD. I have configured the windows XP supplicant with root.der
certificate and EAP-MSCHAPv2. When i try to connect to access point, it takes
the local machine name default instead of asking for username and password.
Does i missed anything ? Here is my radius log file.
bash3.0#radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = yes
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge} --nt-re
sponse=%{mschap:NT-Response}
Module: Instantiated mschap (mschap)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /usr/local/etc/raddb/secert/cert- srv.pem
tls: certificate_file = /usr/local/etc/raddb/secert/cert-srv.pem
tls: CA_file = /usr/local/etc/raddb/secert/root.pem
tls: private_key_password = removed
tls: dh_file = /usr/local/etc/raddb/secert/dh
tls: random_file = /usr/local/etc/raddb/secert/random
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = (null)
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = mschapv2
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap
RE: PEAP MSCHAP2 Freeradius Active Directory
I thought the ldap module wouldn't work with PEAP and AD unless you store the LM and NT password hashes for each user in AD?! Because you can't get the cleartext password back from AD... I don't think that extending AD to store this info would be difficult, I just think having those hashes updated when I user changes his/her password would be a pain, but I don't know. -- Chris Liles -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: Wednesday, June 28, 2006 4:20 PM To: FreeRadius users mailing list Subject: Re: PEAP MSCHAP2 Freeradius Active Directory fvt3 wrote: Hi, I have a question on configuring freeradius to return vlan attributes base on a user group membership or ou. I have a windows client xp sp2 using peap mschap2 to authenticate off radius. How do I set radius to return a vlan id of 10 if the user belongs to the student group and if the user belongs to the teacher group the user get a vlan id of 20? I have freeradius to authenticate of Active Directory but its only returning one vlan.. DEFAULT NAS-Port-Type == Wireless-802.11 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN Do I have add something else in the user file? You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly: DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN Alternatively if you fill AD in from some external system e.g. SQL database you can pull from there, or dump the groups to a file like so: username:groupname ...and use the (poorly-named) passwd module to add the group. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP MSCHAP2 Freeradius Active Directory
I never though about splitting the authentication and authorization between ntlm and ldap. I don't see why that wouldn't work, but I really have no idea. But that would be pretty slick, coupled with some hacked wrt54g's to support the vlans a pretty cheap enterprise level solution! -- Chris Liles -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Neal S. Garber Sent: Wednesday, June 28, 2006 4:44 PM To: FreeRadius users mailing list Subject: Re: PEAP MSCHAP2 Freeradius Active Directory You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly: DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN The doc. states that LDAP only supports PAP. Is this a problem given he said he's using PEAP/MSCHAPv2? How would LDAP do the authentication if it doesn't have a clear text password? Or is the approach to use MSCHAPv2 for authentication and then LDAP for authorization?? Thanks for helping me better understand... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP + AD
If you read the FAQ is says that you can't do CHAP with LDAP. [speculation] But I have also read about some guy successfully using OpenLDAP with PEAP because he stored the LM and NT password hashes in the ldap schema along with the clear text password. With AD I suppose you could extend the schema to store these as well, but you'd have to manually update them when a password changes. [/end speculation] In my attempts to use ldap with active directory for PEAP it wouldn't work, so I went samba. It works fine. Radiusd -X and the mailing list are your best friends. :) -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kartthik Raghunathan Sent: Thursday, May 25, 2006 12:17 AM To: freeradius-users@lists.freeradius.org Subject: PEAP + AD Am trying to authenticate my windows supplicant (ie. XP with sp2) with peap against the windows 2000 AD. But in the error log i could see Accept-Reject error message. So i need a clarification here, is't necessary to get samba on with active directory to do PEAP + AD authentication. sorry for silly q? here ! -- ___ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP + AD
AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth. That is right, I forgot that even if you are on a ssl/tls ldap connection as an administrator, you can't pull the password back from AD. What hooks are you talking about? The extensions for unix services? -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, May 25, 2006 11:36 AM To: FreeRadius users mailing list Subject: Re: PEAP + AD Chris Liles [EMAIL PROTECTED] wrote: But I have also read about some guy successfully using OpenLDAP with PEAP because he stored the LM and NT password hashes in the ldap schema along with the clear text password. With AD I suppose you could extend the schema to store these as well, but you'd have to manually update them when a password changes. Yes. There are hooks in AD to do just that, but the software implementing the hooks has to be installed on every domain controller. In my attempts to use ldap with active directory for PEAP it wouldn't work, so I went samba. It works fine. Radiusd -X and the mailing list are your best friends. :) AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Yet Another AD Question
Look at the mschap section of the FR config file, everything is there, you just need to uncomment it. -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Sent: Thursday, May 25, 2006 11:45 AM To: FreeRadius users mailing list Subject: Re: Yet Another AD Question OK. So I think I'm going to go the Samba route. I've got Samba running on the same host as freeradius. I've tested Samba/AD integration by creating a couple shared folders on the Samba server and using Windows AD accounts to mount/map them from windows machines - it works. Now, I need to get freeradius to send auth requests to samba. I guess there are a few ways to do this, one of which would be LDAP again (now I'm trying to avoid LDAP). I'm not concerned with security (clear text passwords, etc.) between samba and freeradius since they are on the same box. Any good pointers to some documentation on freeradius/samba integration without ldap? What method should I be using other than ldap? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + Wireless + AD
Get samba on the AD first, then install freeradius. Tons of docs about getting samba working with AD are on the net, after you get that working, come back and ask your freeradius questions. The default freeradius config only needs a couple of changes to accomplish what you want to get done. -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kartthik Raghunathan Sent: Wednesday, May 24, 2006 11:21 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius + Wireless + AD I would like to know whether the freeradius can run on rhel v3 smooth. Also am planning to integrate my wireless AP (ie.linksys) with freeradius and for authentication going to use my active directory. So can someone please let me know what are the packages should i install for smooth compilation, really having hard time with this ! Thanks, Kartthik -- ___ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Expirey dates
Sure, Here is an example: mysql select * from radcheck where UserName = 'guestuser35'; ++-+---++--+ | id | UserName| Attribute | op | Value| ++-+---++--+ | 35 | guestuser35 | Password | := | test | | 36 | guestuser35 | MS-CHAP-Use-NTLM-Auth | := | No | | 37 | guestuser35 | Expiration| := | 24 May 2006 23:00:00 | ++-+---++--+ 3 rows in set (0.00 sec) -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy ohara Sent: Wednesday, May 24, 2006 11:56 AM To: FreeRadius users mailing list Subject: Expirey dates Importance: High Hi there I'm using Free radius 1.0.5 with mysql. i was wondering is there a way to setup where by if a user accounts expireds on 25/07/2006. when the user tries to get on on the 26th the user wont be let on cos the account has expired? Jeremy This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon. Updated daily to keep up-to-date with all new and old viruses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: peap with mysql
) for request 7 -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Liles Sent: Friday, May 19, 2006 10:42 AM To: FreeRadius users mailing list Subject: RE: peap with mysql Please forgive my ignorance, but can you be a little bit more specific. I tried putting the following in the database: mysql select * from radcheck; ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 1 | temptest | Password | := | authme | | 2 | temptest | MS-CHAP-User-NTLM-Auth | == | No | ++--++++ I added the following to dictionary: ATTRIBUTE MS-CHAP-User-NTLM-Auth 3003string But I am still seeing the call made for ntlm authing: radius_xlat: 'temptest' rlm_sql (sql): sql_set_user escaped user -- 'temptest' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'temptest' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'temptest' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'temptest' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'temptest' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): No matching entry in the database for request from user [temptest] modcall[authorize]: module sql returns notfound for request 16 modcall: leaving group authorize (returns updated) for request 16 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 16 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 16 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for temptest with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: d2 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=temptest --challenge=f323f6e00a6e7eef --nt-response=adbc3550e29c702918ea4c1a3f6a5811d1b58dbfcf3a21d2 --require-membership-of=DOMAIN+wifi-secure' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=temptest --challenge=f323f6e00a6e7eef --nt-response=adbc3550e29c702918ea4c1a3f6a5811d1b58dbfcf3a21d2 --require-membership-of=DOMAIN+wifi-secure Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 16 modcall: leaving group MS-CHAP (returns reject) for request 16 I'm guessing that I need to put the MS-CHAP-User-NTLM-Auth somewhere else?? -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, May 18, 2006 8:31 PM To: FreeRadius users mailing list Subject: Re: peap with mysql Chris Liles [EMAIL PROTECTED] wrote: How can I make the mschap module use both ntlm and mysql? If it gets a clear-text password, it should probably default to using that. For now, you can set the check item MS-CHAP-User-NTLM-Auth = No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: peap with mysql
Thanks Alan, That worked perfectly. Now the next problem: I'm trying to set up freeradius to do ntlm and mysql. Currently mysql only works when I comment out the ntlm_auth line in the mschap section. I'm thinking because it is sending the username/password to the Domain Controller, which won't auth it because the info is in the mysql database when the ntlm line is present. How can I make the mschap module use both ntlm and mysql? -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, May 17, 2006 7:08 PM To: FreeRadius users mailing list Subject: Re: peap with mysql Chris Liles [EMAIL PROTECTED] wrote: To get peap working with a mysql backend do I need to store the LM and NT hashes of the password? No. I currently have my db setup like this: mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 1 | temptest | User-Password | == | authme | You should :=, not ==. Currently it works fine with NTRadPing, but not from the MS Supplicant :( Debug mode will tell you why: there's no User-Password in the MS-CHAP request to do == comparisons on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap with mysql
To get peap working with a mysql backend do I need to store the LM and NT hashes of the password? I currently have my db setup like this: mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 1 | temptest | User-Password | == | authme | ++--+---+++ 1 row in set (0.00 sec) I would guess I need to add 2 more rows per user with the attributes LM-Password and NT-Password set to the correct hash. Currently it works fine with NTRadPing, but not from the MS Supplicant :( The only reason I ask about the LM and NT Hashes is because I saw some info about that when using openldap. Thanks! -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
with_ntdomain_hack
I cant seem to figure out how to get with_ntdomain_hack set correctly. I am trying to get peap going against active directory with winbind. It works if I enter in the username and password from the windows supplicant prompt, but when I set the supplicant to send the information automatically it is appending the domain\ onto the username, and I cant get it to work? Where is the 1 place (or places) to set with_ntdomain_hack =yes to get the supplicants auto settings to work? Thanks! -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 �- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: with_ntdomain_hack
You are right, it was that I was lowercasing the username before
authentication...
After I turned that off, I am getting further, it still doesn't work and I
believe it is because of a problem with Stripped-User-Name and ntlm_auth
ntlm_auth is getting called with the entire username DOMAIN\user and not
user I don't understand why, as in the config file it says:
--username=%{Stripped-User-Name:-%{User-Name:-None}}
I didn't edit that part of the ntlm_auth line, just corrected the path..
I know this is a problem because when I use ntlm_auth from the command line I
can't use --username=DOMAIN\user I have to use --username=user
I hacked up the line to just say %{Stripped-User-Name} but that value must be
null or something, because then ntlm_auth gets called with --username=
Any thoughts as to why I can't get the DOMAIN\ stripped when calling ntlm_auth
Thanks!
--
Chris Liles
System Analyst
Air2Web, Inc.
1230 Peachtree St. N.E.
12th Floor
Atlanta, GA 30309
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, Michael
Sent: Wednesday, May 10, 2006 3:39 PM
To: FreeRadius users mailing list
Subject: RE: with_ntdomain_hack
-Original Message-
I can't seem to figure out how to get with_ntdomain_hack set
correctly.
I am trying to get peap going against active directory with winbind.
It works if I enter in the username and password from the
windows supplicant prompt, but when I set the supplicant to
send the information automatically it is appending the
domain\ onto the username, and I can't get it to work?
I don't think it's the ntdomain hack that is the problem (It should be
on, and I'm only aware of it being located in the radiusd.conf file,
just above the ntlm_auth line
I'd double check that your Samba config is correct.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: with_ntdomain_hack
I changed the username portion to what you suggested and it works :)
Thanks!
--
Chris Liles
System Analyst
Air2Web, Inc.
1230 Peachtree St. N.E.
12th Floor
Atlanta, GA 30309
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, Michael
Sent: Wednesday, May 10, 2006 4:12 PM
To: FreeRadius users mailing list
Subject: RE: with_ntdomain_hack
Try this ntlm_auth string (Watch for page breaks in email)
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challeng
e} --nt-response=%{mschap:NT-Response}
-Original Message-
From:
[EMAIL PROTECTED]
g
[mailto:[EMAIL PROTECTED]
adius.org] On Behalf Of Chris Liles
Sent: Wednesday, May 10, 2006 3:51 PM
To: FreeRadius users mailing list
Subject: RE: with_ntdomain_hack
You are right, it was that I was lowercasing the username
before authentication...
After I turned that off, I am getting further, it still
doesn't work and I believe it is because of a problem with
Stripped-User-Name and ntlm_auth
ntlm_auth is getting called with the entire username
DOMAIN\user and not user I don't understand why, as in
the config file it says:
--username=%{Stripped-User-Name:-%{User-Name:-None}}
I didn't edit that part of the ntlm_auth line, just corrected
the path..
I know this is a problem because when I use ntlm_auth from
the command line I can't use --username=DOMAIN\user I have to
use --username=user
I hacked up the line to just say %{Stripped-User-Name} but
that value must be null or something, because then ntlm_auth
gets called with --username=
Any thoughts as to why I can't get the DOMAIN\ stripped when
calling ntlm_auth
Thanks!
--
Chris Liles
System Analyst
Air2Web, Inc.
1230 Peachtree St. N.E.
12th Floor
Atlanta, GA 30309
-Original Message-
From:
[EMAIL PROTECTED]
ius.org
[mailto:[EMAIL PROTECTED]
.freeradius.org] On Behalf Of King, Michael
Sent: Wednesday, May 10, 2006 3:39 PM
To: FreeRadius users mailing list
Subject: RE: with_ntdomain_hack
-Original Message-
I can't seem to figure out how to get with_ntdomain_hack set
correctly.
I am trying to get peap going against active directory with winbind.
It works if I enter in the username and password from the windows
supplicant prompt, but when I set the supplicant to send the
information automatically it is appending the domain\ onto the
username, and I can't get it to work?
I don't think it's the ntdomain hack that is the problem (It
should be on, and I'm only aware of it being located in the
radiusd.conf file, just above the ntlm_auth line
I'd double check that your Samba config is correct.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: win2003 Active Directory authentication
Yes you can do use the ldap module of freeradius to hit your AD, I am doing this now. Yes you can do ssl/tls for encryption between the radius server and AD. Windows server 2000 does not support tls, only ssl. It is similar to setting up mm_mod_auth_ldap for apache. You will need an ldap browser to browse your domain to find out the correct search filters for everything. The only thing I cant figure out is how to check for group membership. I posted to the mailing list, but no one has responded yet L There is good documentation on the wiki. Look for my previous post about not getting groups working to see my config files. -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 Tel: (404) 942-5334 Fax: (404) 815-7708 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Smith Sent: Monday, May 08, 2006 11:55 AM To: freeradius-users@lists.freeradius.org Subject: win2003 Active Directory authentication I am running AD in native mode. By my ancient understanding of samba, I cannot join this domain. I can authenticate using ldap, no? Also, is this insecure due to clear text? Any other ideas for what I want here? Thanks! �- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap group checking against active directory
Hello mailing list!
I have tried to search the archive and the web for the
answer to my question but I am unable to find the answer..
Im sure someone here has run into this before.
I am attempting to setup the good old freeradius
+ active directory + access point to get peap going scenario.
I have freeradius setup fine to
use ldap to auth the user, and it works.
I am attempting to setup finer access control (well really
simple) to check if the user is a member of a group before allowing access.
Here are some configs:
radiusd.conf
ldap {
server = domaincontroller.my.domain.com
identity = adreader
password = test1234
basedn = cn=users,dc=my,dc=domain,dc=com
filter = (sAMAccountName=%u)
port = 636
start_tls =
no
tls_mode = no
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
groupmembership_filter = ((objectClass=group)(member=%{Ldap-UserDn}))
groupmembership_attribute
= memberOf
timeout = 4
timelimit = 3
net_timeout = 1
}
In my users file all I have is:
DEFAULT Ldap-Group == badgroup, Auth-Type := Reject
Reply-Message =
Sorry, you are not allowed to have access
When I use NTRadPing
to test with a user that is in badgroup
I still get an Access-Accept back.
I can do an ldap search using the groupmembership_filter and I get back all the groups my
test user is in so I know that isnt the problem. Of course when I do my
search I replace the %{Ldap-UserDn} with the actual cn=username,what
I have for basedn
Also I have the groupmembership_attribute
defined because from what I gather from the docs, it is used if the groupmembership filter fails.
Anywho, when I
send an auth request while watching the debug output I dont see anything
about checking for group/groupmembership/etc.
If I change my filter filter = (sAMAccountName=%u) to also check for the group name, everything
will work, but of course I would like to use the users file.
Ive got TLS set to no and port set to 636 because I
am using a crap-tacular windows 2000 domain, which
doesnt support TLS L
I think I am missing something or something isnt
quite right. Anyone have any ideas, or has anyone gotten ldap
group checking to work against active directory??
Thanks
--
Chris
Liles
System Analyst
Air2Web, Inc.
1230
Peachtree St. N.E.
12th
Floor
Atlanta, GA 30309
�-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
