RE: freeradius against AD authentication not working
You have the supplicant incorrectly configured. You can also try in radius.conf: with_ntdomain_hack=yes -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Karthik R Sent: Tuesday, October 31, 2006 6:32 PM To: freeradius-users@lists.freeradius.org Subject: freeradius against AD authentication not working Running Freeradius v1.1.1 on a RHEL 4 box and trying to authenticate the WiFi users against windows 2003 active directory using EAP-MSCHAPv2. I was able to join the linux box to windows domain successfully and able to read the users and groups from AD. I have configured the windows XP supplicant with root.der certificate and EAP-MSCHAPv2. When i try to connect to access point, it takes the local machine name default instead of asking for username and password. Does i missed anything ? Here is my radius log file. bash3.0#radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = yes mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge} --nt-re sponse=%{mschap:NT-Response} Module: Instantiated mschap (mschap) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/secert/cert- srv.pem tls: certificate_file = /usr/local/etc/raddb/secert/cert-srv.pem tls: CA_file = /usr/local/etc/raddb/secert/root.pem tls: private_key_password = removed tls: dh_file = /usr/local/etc/raddb/secert/dh tls: random_file = /usr/local/etc/raddb/secert/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = mschapv2 peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap
RE: PEAP MSCHAP2 Freeradius Active Directory
I thought the ldap module wouldn't work with PEAP and AD unless you store the LM and NT password hashes for each user in AD?! Because you can't get the cleartext password back from AD... I don't think that extending AD to store this info would be difficult, I just think having those hashes updated when I user changes his/her password would be a pain, but I don't know. -- Chris Liles -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Phil Mayers Sent: Wednesday, June 28, 2006 4:20 PM To: FreeRadius users mailing list Subject: Re: PEAP MSCHAP2 Freeradius Active Directory fvt3 wrote: Hi, I have a question on configuring freeradius to return vlan attributes base on a user group membership or ou. I have a windows client xp sp2 using peap mschap2 to authenticate off radius. How do I set radius to return a vlan id of 10 if the user belongs to the student group and if the user belongs to the teacher group the user get a vlan id of 20? I have freeradius to authenticate of Active Directory but its only returning one vlan.. DEFAULT NAS-Port-Type == Wireless-802.11 Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN Do I have add something else in the user file? You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly: DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN Alternatively if you fill AD in from some external system e.g. SQL database you can pull from there, or dump the groups to a file like so: username:groupname ...and use the (poorly-named) passwd module to add the group. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP MSCHAP2 Freeradius Active Directory
I never though about splitting the authentication and authorization between ntlm and ldap. I don't see why that wouldn't work, but I really have no idea. But that would be pretty slick, coupled with some hacked wrt54g's to support the vlans a pretty cheap enterprise level solution! -- Chris Liles -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Neal S. Garber Sent: Wednesday, June 28, 2006 4:44 PM To: FreeRadius users mailing list Subject: Re: PEAP MSCHAP2 Freeradius Active Directory You will need to configure the LDAP module to fetch groups from ADs LDAP server. See copious documentation or posts to the list. Broadly, once the LDAP module is setup correctly: DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Students Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 10, Tunnel-Type = VLAN DEFAULT NAS-Port-Type == Wireless-802.11, Ldap-Group == Staff Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 20, Tunnel-Type = VLAN The doc. states that LDAP only supports PAP. Is this a problem given he said he's using PEAP/MSCHAPv2? How would LDAP do the authentication if it doesn't have a clear text password? Or is the approach to use MSCHAPv2 for authentication and then LDAP for authorization?? Thanks for helping me better understand... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP + AD
If you read the FAQ is says that you can't do CHAP with LDAP. [speculation] But I have also read about some guy successfully using OpenLDAP with PEAP because he stored the LM and NT password hashes in the ldap schema along with the clear text password. With AD I suppose you could extend the schema to store these as well, but you'd have to manually update them when a password changes. [/end speculation] In my attempts to use ldap with active directory for PEAP it wouldn't work, so I went samba. It works fine. Radiusd -X and the mailing list are your best friends. :) -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kartthik Raghunathan Sent: Thursday, May 25, 2006 12:17 AM To: freeradius-users@lists.freeradius.org Subject: PEAP + AD Am trying to authenticate my windows supplicant (ie. XP with sp2) with peap against the windows 2000 AD. But in the error log i could see Accept-Reject error message. So i need a clarification here, is't necessary to get samba on with active directory to do PEAP + AD authentication. sorry for silly q? here ! -- ___ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP + AD
AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth. That is right, I forgot that even if you are on a ssl/tls ldap connection as an administrator, you can't pull the password back from AD. What hooks are you talking about? The extensions for unix services? -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, May 25, 2006 11:36 AM To: FreeRadius users mailing list Subject: Re: PEAP + AD Chris Liles [EMAIL PROTECTED] wrote: But I have also read about some guy successfully using OpenLDAP with PEAP because he stored the LM and NT password hashes in the ldap schema along with the clear text password. With AD I suppose you could extend the schema to store these as well, but you'd have to manually update them when a password changes. Yes. There are hooks in AD to do just that, but the software implementing the hooks has to be installed on every domain controller. In my attempts to use ldap with active directory for PEAP it wouldn't work, so I went samba. It works fine. Radiusd -X and the mailing list are your best friends. :) AD doesn't supply passwords through LDAP. That's why the server ships with support for ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Yet Another AD Question
Look at the mschap section of the FR config file, everything is there, you just need to uncomment it. -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Sent: Thursday, May 25, 2006 11:45 AM To: FreeRadius users mailing list Subject: Re: Yet Another AD Question OK. So I think I'm going to go the Samba route. I've got Samba running on the same host as freeradius. I've tested Samba/AD integration by creating a couple shared folders on the Samba server and using Windows AD accounts to mount/map them from windows machines - it works. Now, I need to get freeradius to send auth requests to samba. I guess there are a few ways to do this, one of which would be LDAP again (now I'm trying to avoid LDAP). I'm not concerned with security (clear text passwords, etc.) between samba and freeradius since they are on the same box. Any good pointers to some documentation on freeradius/samba integration without ldap? What method should I be using other than ldap? __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + Wireless + AD
Get samba on the AD first, then install freeradius. Tons of docs about getting samba working with AD are on the net, after you get that working, come back and ask your freeradius questions. The default freeradius config only needs a couple of changes to accomplish what you want to get done. -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kartthik Raghunathan Sent: Wednesday, May 24, 2006 11:21 AM To: freeradius-users@lists.freeradius.org Subject: Freeradius + Wireless + AD I would like to know whether the freeradius can run on rhel v3 smooth. Also am planning to integrate my wireless AP (ie.linksys) with freeradius and for authentication going to use my active directory. So can someone please let me know what are the packages should i install for smooth compilation, really having hard time with this ! Thanks, Kartthik -- ___ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Expirey dates
Sure, Here is an example: mysql select * from radcheck where UserName = 'guestuser35'; ++-+---++--+ | id | UserName| Attribute | op | Value| ++-+---++--+ | 35 | guestuser35 | Password | := | test | | 36 | guestuser35 | MS-CHAP-Use-NTLM-Auth | := | No | | 37 | guestuser35 | Expiration| := | 24 May 2006 23:00:00 | ++-+---++--+ 3 rows in set (0.00 sec) -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy ohara Sent: Wednesday, May 24, 2006 11:56 AM To: FreeRadius users mailing list Subject: Expirey dates Importance: High Hi there I'm using Free radius 1.0.5 with mysql. i was wondering is there a way to setup where by if a user accounts expireds on 25/07/2006. when the user tries to get on on the 26th the user wont be let on cos the account has expired? Jeremy This email has been scanned for Virus by MDaemon AntiVirus part of MDaemon. Updated daily to keep up-to-date with all new and old viruses. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: peap with mysql
) for request 7 -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Liles Sent: Friday, May 19, 2006 10:42 AM To: FreeRadius users mailing list Subject: RE: peap with mysql Please forgive my ignorance, but can you be a little bit more specific. I tried putting the following in the database: mysql select * from radcheck; ++--++++ | id | UserName | Attribute | op | Value | ++--++++ | 1 | temptest | Password | := | authme | | 2 | temptest | MS-CHAP-User-NTLM-Auth | == | No | ++--++++ I added the following to dictionary: ATTRIBUTE MS-CHAP-User-NTLM-Auth 3003string But I am still seeing the call made for ntlm authing: radius_xlat: 'temptest' rlm_sql (sql): sql_set_user escaped user -- 'temptest' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'temptest' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'temptest' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radreply WHERE Username = 'temptest' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'temptest' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql (sql): Released sql socket id: 4 rlm_sql (sql): No matching entry in the database for request from user [temptest] modcall[authorize]: module sql returns notfound for request 16 modcall: leaving group authorize (returns updated) for request 16 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 16 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 16 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for temptest with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: d2 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=temptest --challenge=f323f6e00a6e7eef --nt-response=adbc3550e29c702918ea4c1a3f6a5811d1b58dbfcf3a21d2 --require-membership-of=DOMAIN+wifi-secure' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=temptest --challenge=f323f6e00a6e7eef --nt-response=adbc3550e29c702918ea4c1a3f6a5811d1b58dbfcf3a21d2 --require-membership-of=DOMAIN+wifi-secure Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 16 modcall: leaving group MS-CHAP (returns reject) for request 16 I'm guessing that I need to put the MS-CHAP-User-NTLM-Auth somewhere else?? -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, May 18, 2006 8:31 PM To: FreeRadius users mailing list Subject: Re: peap with mysql Chris Liles [EMAIL PROTECTED] wrote: How can I make the mschap module use both ntlm and mysql? If it gets a clear-text password, it should probably default to using that. For now, you can set the check item MS-CHAP-User-NTLM-Auth = No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: peap with mysql
Thanks Alan, That worked perfectly. Now the next problem: I'm trying to set up freeradius to do ntlm and mysql. Currently mysql only works when I comment out the ntlm_auth line in the mschap section. I'm thinking because it is sending the username/password to the Domain Controller, which won't auth it because the info is in the mysql database when the ntlm line is present. How can I make the mschap module use both ntlm and mysql? -- Chris Liles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, May 17, 2006 7:08 PM To: FreeRadius users mailing list Subject: Re: peap with mysql Chris Liles [EMAIL PROTECTED] wrote: To get peap working with a mysql backend do I need to store the LM and NT hashes of the password? No. I currently have my db setup like this: mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 1 | temptest | User-Password | == | authme | You should :=, not ==. Currently it works fine with NTRadPing, but not from the MS Supplicant :( Debug mode will tell you why: there's no User-Password in the MS-CHAP request to do == comparisons on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
peap with mysql
To get peap working with a mysql backend do I need to store the LM and NT hashes of the password? I currently have my db setup like this: mysql select * from radcheck; ++--+---+++ | id | UserName | Attribute | op | Value | ++--+---+++ | 1 | temptest | User-Password | == | authme | ++--+---+++ 1 row in set (0.00 sec) I would guess I need to add 2 more rows per user with the attributes LM-Password and NT-Password set to the correct hash. Currently it works fine with NTRadPing, but not from the MS Supplicant :( The only reason I ask about the LM and NT Hashes is because I saw some info about that when using openldap. Thanks! -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
with_ntdomain_hack
I cant seem to figure out how to get with_ntdomain_hack set correctly. I am trying to get peap going against active directory with winbind. It works if I enter in the username and password from the windows supplicant prompt, but when I set the supplicant to send the information automatically it is appending the domain\ onto the username, and I cant get it to work? Where is the 1 place (or places) to set with_ntdomain_hack =yes to get the supplicants auto settings to work? Thanks! -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: with_ntdomain_hack
You are right, it was that I was lowercasing the username before authentication... After I turned that off, I am getting further, it still doesn't work and I believe it is because of a problem with Stripped-User-Name and ntlm_auth ntlm_auth is getting called with the entire username DOMAIN\user and not user I don't understand why, as in the config file it says: --username=%{Stripped-User-Name:-%{User-Name:-None}} I didn't edit that part of the ntlm_auth line, just corrected the path.. I know this is a problem because when I use ntlm_auth from the command line I can't use --username=DOMAIN\user I have to use --username=user I hacked up the line to just say %{Stripped-User-Name} but that value must be null or something, because then ntlm_auth gets called with --username= Any thoughts as to why I can't get the DOMAIN\ stripped when calling ntlm_auth Thanks! -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, Michael Sent: Wednesday, May 10, 2006 3:39 PM To: FreeRadius users mailing list Subject: RE: with_ntdomain_hack -Original Message- I can't seem to figure out how to get with_ntdomain_hack set correctly. I am trying to get peap going against active directory with winbind. It works if I enter in the username and password from the windows supplicant prompt, but when I set the supplicant to send the information automatically it is appending the domain\ onto the username, and I can't get it to work? I don't think it's the ntdomain hack that is the problem (It should be on, and I'm only aware of it being located in the radiusd.conf file, just above the ntlm_auth line I'd double check that your Samba config is correct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: with_ntdomain_hack
I changed the username portion to what you suggested and it works :) Thanks! -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of King, Michael Sent: Wednesday, May 10, 2006 4:12 PM To: FreeRadius users mailing list Subject: RE: with_ntdomain_hack Try this ntlm_auth string (Watch for page breaks in email) ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challeng e} --nt-response=%{mschap:NT-Response} -Original Message- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Chris Liles Sent: Wednesday, May 10, 2006 3:51 PM To: FreeRadius users mailing list Subject: RE: with_ntdomain_hack You are right, it was that I was lowercasing the username before authentication... After I turned that off, I am getting further, it still doesn't work and I believe it is because of a problem with Stripped-User-Name and ntlm_auth ntlm_auth is getting called with the entire username DOMAIN\user and not user I don't understand why, as in the config file it says: --username=%{Stripped-User-Name:-%{User-Name:-None}} I didn't edit that part of the ntlm_auth line, just corrected the path.. I know this is a problem because when I use ntlm_auth from the command line I can't use --username=DOMAIN\user I have to use --username=user I hacked up the line to just say %{Stripped-User-Name} but that value must be null or something, because then ntlm_auth gets called with --username= Any thoughts as to why I can't get the DOMAIN\ stripped when calling ntlm_auth Thanks! -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 -Original Message- From: [EMAIL PROTECTED] ius.org [mailto:[EMAIL PROTECTED] .freeradius.org] On Behalf Of King, Michael Sent: Wednesday, May 10, 2006 3:39 PM To: FreeRadius users mailing list Subject: RE: with_ntdomain_hack -Original Message- I can't seem to figure out how to get with_ntdomain_hack set correctly. I am trying to get peap going against active directory with winbind. It works if I enter in the username and password from the windows supplicant prompt, but when I set the supplicant to send the information automatically it is appending the domain\ onto the username, and I can't get it to work? I don't think it's the ntdomain hack that is the problem (It should be on, and I'm only aware of it being located in the radiusd.conf file, just above the ntlm_auth line I'd double check that your Samba config is correct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: win2003 Active Directory authentication
Yes you can do use the ldap module of freeradius to hit your AD, I am doing this now. Yes you can do ssl/tls for encryption between the radius server and AD. Windows server 2000 does not support tls, only ssl. It is similar to setting up mm_mod_auth_ldap for apache. You will need an ldap browser to browse your domain to find out the correct search filters for everything. The only thing I cant figure out is how to check for group membership. I posted to the mailing list, but no one has responded yet L There is good documentation on the wiki. Look for my previous post about not getting groups working to see my config files. -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 Tel: (404) 942-5334 Fax: (404) 815-7708 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Smith Sent: Monday, May 08, 2006 11:55 AM To: freeradius-users@lists.freeradius.org Subject: win2003 Active Directory authentication I am running AD in native mode. By my ancient understanding of samba, I cannot join this domain. I can authenticate using ldap, no? Also, is this insecure due to clear text? Any other ideas for what I want here? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap group checking against active directory
Hello mailing list! I have tried to search the archive and the web for the answer to my question but I am unable to find the answer.. Im sure someone here has run into this before. I am attempting to setup the good old freeradius + active directory + access point to get peap going scenario. I have freeradius setup fine to use ldap to auth the user, and it works. I am attempting to setup finer access control (well really simple) to check if the user is a member of a group before allowing access. Here are some configs: radiusd.conf ldap { server = domaincontroller.my.domain.com identity = adreader password = test1234 basedn = cn=users,dc=my,dc=domain,dc=com filter = (sAMAccountName=%u) port = 636 start_tls = no tls_mode = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupmembership_filter = ((objectClass=group)(member=%{Ldap-UserDn})) groupmembership_attribute = memberOf timeout = 4 timelimit = 3 net_timeout = 1 } In my users file all I have is: DEFAULT Ldap-Group == badgroup, Auth-Type := Reject Reply-Message = Sorry, you are not allowed to have access When I use NTRadPing to test with a user that is in badgroup I still get an Access-Accept back. I can do an ldap search using the groupmembership_filter and I get back all the groups my test user is in so I know that isnt the problem. Of course when I do my search I replace the %{Ldap-UserDn} with the actual cn=username,what I have for basedn Also I have the groupmembership_attribute defined because from what I gather from the docs, it is used if the groupmembership filter fails. Anywho, when I send an auth request while watching the debug output I dont see anything about checking for group/groupmembership/etc. If I change my filter filter = (sAMAccountName=%u) to also check for the group name, everything will work, but of course I would like to use the users file. Ive got TLS set to no and port set to 636 because I am using a crap-tacular windows 2000 domain, which doesnt support TLS L I think I am missing something or something isnt quite right. Anyone have any ideas, or has anyone gotten ldap group checking to work against active directory?? Thanks -- Chris Liles System Analyst Air2Web, Inc. 1230 Peachtree St. N.E. 12th Floor Atlanta, GA 30309 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html