Also don't forget to disable (or modify) SELinux. If memory serves, RHEL 6
comes with that enabled by default as well.
--J
-Original Message-
From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org
One other thing with multiple interfaces: RHEL 6 comes with some anti-spoofing
features in the kernel enabled by default. I'm afraid I forget exactly what
they are, but the idea is this: If the kernel gets a packet from HostA on
eth1, but the routing table says that the return path to HostA
From 'man unlang' I see this:
redundant-load-balance {
ldap1 # 50%, unless ldap2 is down, then 100%
ldap2 # 50%, unless ldap1 is down, then 100%
}
I clearly don't know what I'm doing when it comes to defining these modules.
If I have just ldap in there, it works.
Yup. That was it. Thanks to both of you who replied. :)
--J
-Original Message-
From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On
Behalf Of Arran Cudbard-Bell
Sent: Friday, August
Okay new related question. I have these working:
ldap ldap1 { ... }
ldap ldap2 { ... }
ldap ldap3 { ... }
Is there an $INCLUDE syntax for modules (is it perhaps just $INCLUDE ./file)
that will load ./file in the current context that I can use so that ldap1,
ldap2, and ldap3 can share all of
Grrr...
This is probably a Samba issue - a known one? - but I can't seem to get AD
authentications to hit multiple DCs. Everything goes to the one listed in
/etc/samba/smb.conf (which may be a coincidence).
I set up several mschap instances like so:
mschap mschap1 { ...
ntlm_auth -s
Alan D. and Alan B. are correct. Whatever this is, it isn't FreeRADIUS that
isn't behaving. Radiusd -XC shows that pretty conclusively. At this point, if
any of you are using Samba/ntlm_auth to handle the back-end authentication for
FreeRADIUS, your advice is welcome, but it's definitely a
and mschap
On 08/24/2012 08:11 PM, McNutt, Justin M. wrote:
Grrr...
This is probably a Samba issue - a known one? - but I can't seem to
get AD authentications to hit multiple DCs. Everything goes to the
one
This is indeed a Samba issue, and unfortunately a hard one to fix.
ntlm_auth doesn't
@lists.freeradius.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On
Behalf Of Phil Mayers
Sent: Friday, August 24, 2012 4:23 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: redundant load balancing and mschap
On 08/24/2012 08:11 PM, McNutt, Justin M. wrote
Date: Sat, 3 Mar 2012 09:14:31 +0100
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org
Subject: Re: RHEL Patches Broke FreeRADIUS
McNutt, Justin M. wrote:
I'd like to tackle this from the FreeRADIUS side rather than by reconfiguring
Be careful with load balancers too. Some NAS don't work well through a load
balancer (Trapeze wireless controllers).
--J
From: Толик Шавловский
tolik_shavlov...@mail.rumailto:tolik_shavlov...@mail.ru
Reply-To: Толик Шавловский
tolik_shavlov...@mail.rumailto:tolik_shavlov...@mail.ru,
So my server admins did what they're supposed to do and ran yum update on
everything last weekend. The updates included a refresh of the freeradius2
packages that took FR from 2.1.7 to 2.1.12.
That's all fine and dandy, except that what rpm does when it has config files
that are part of a
Mailing list seems to be having problems. Checking to see if it's just me.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org
Subject: Re: Multi-domain AD and Users Who Aren't So Bright
On 02/02/2012 05:33 PM, NdK wrote:
Il 02/02/2012 13:35, McNutt, Justin M. ha scritto:
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's
-users@lists.freeradius.org
Subject: Re: Multi-domain AD and Users Who Aren't So Bright
On 02/02/2012 12:35 PM, McNutt, Justin M. wrote:
ridiculously large number of phone calls to our Help Desk demonstrate
this, not to mention the Login incorrect messages from FR. (I
built all of my fix it stanzas
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
complex policies OR mandate your users always use the correct DOM\user
format.
Or make 'em
On 02/01/2012 09:57 PM, McNutt, Justin M. wrote:
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
complex policies OR mandate your users
So I'm working on a way to Improve the User Experience. I've gotten a LONG
way, but now I'm stuck. Here's the short/long version (all details, without
undue explanation or discussion of what I tried that doesn't work):
WARNING: This may well be a case of doing it the hard way. If that's the
Btw, kudos to Alan DeKok and the rest of the FR developers for these FR
abilities. The things listed here were INVALUABLE to figuring all of this out
without just guessing:
1) radiusd -XC You just can't live without this. Seriously.
2) radiusd -XIt's there for a reason. Specifically,
Thanks to all for the responses so far. I'm still reading through them.
In my case, guests are given a WEP key (which just keeps the Automatically
Connect to Open Networks devices away) and allowed to connect to a guest SSID
which has a separate Internet drain, policies, limitations, etc. To
16:08, McNutt, Justin M. wrote:
So I'm getting some pushback in my organization against using a self-signed CA
for signing my RADIUS server certs. To make a long story short, I was asked to
find out what other people were doing.
For my own reasons, I'd like to know slightly more than
So I'm getting some pushback in my organization against using a self-signed CA
for signing my RADIUS server certs. To make a long story short, I was asked to
find out what other people were doing.
For my own reasons, I'd like to know slightly more than that. If you AREN'T
using a self-signed
Well, at the very least, I'm going to START there and see what happens.
It's maddening, since it goes for weeks with no problems, and then suddenly two
or three will die within hours. :(
--J
-Original Message-
From:
freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius
Hey all,
So the host-based auth stuff is working well now, but we've discovered another
problem.
We have four FR 2.1.7 servers running on RHEL 5 (fully patched). Every now and
then, for no apparent reason, radiusd just stops. It exits with Exiting
normally. to syslog. They don't all exit
One of my virtual servers uses LDAP auth. However, it isn't clear to me if
modules/ldap can be configured with a secondary LDAP server, should the primary
fail to respond. The group that provides the LDAP server can't set up multiple
servers behind a load balancer due to cert issues, so I'm
2.1.7 Exits for no reason
Gdb
From: McNutt, Justin M. [mailto:mcnu...@missouri.edu]
Sent: Tuesday, March 08, 2011 04:59 PM
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: FR 2.1.7 Exits for no reason
Hey all,
So the host-based auth stuff is working well now
, etc in the doc: online and in FR
conf files. Sorry I don't have exact location handy, but I'm sure its there.
From: McNutt, Justin M. [mailto:mcnu...@missouri.edu]
Sent: Tuesday, March 08, 2011 05:02 PM
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject
root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564
--password=Pa$$w0rd
NT_STATUS_OK: Success (0x0)
root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D670F3A6
--password=Pa$$w0rd
NT_STATUS_OK: Success (0x0)
root@FREERADIUS:/etc/freeradius# ntlm_auth
Im using Samba version 3.5.4 and FreeRADIUS Version 2.1.9
on Ubuntu 10.10.
I'm using 3.5.4 and FreeRADIUS 2.1.7. Should be okay.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]expand: --username=%{mschap:User-Name:-None} -
--username=001E52805980
[mschap] No NT-Domain was found in the User-Name.
[mschap]expand: %{mschap:NT-Domain} -
I am trying to setup freeRadius to process requests from our Wireless
Controller. The controller uses the wireless devices MAC
address as the
username, and a predefined password. These MAC addresses all excist in
Active Directory as user accounts, with the same password
set. This works
These look like MS-CHAP machine-auth usernames; have you
considered using:
%{mschap:User-Name}
%{mschap:NT-Domain}
The mschap module has special handling for host/ names, and
these will
expand:
host/name.domain.com
to:
name$
domain.com
The trailing dollar sign on the
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the string printed by the server, and keep running it by
hand. Play with the various parameters until it works. Then, configure
the server to run it with those parameters.
I haven't, partly because it works
Note use of %{mschap:User-Name} and
%{mschap:NT-Domain}. Despite this, host/computer.domain
login attempts always fail. Hence, trying to do the
translation manually via a regex and update clauses.
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the
In the most recent debug I see you posted (16:36 yesterday)
it's failing
because:
[eap] Request is supposed to be proxied to Realm $2. Not doing EAP.
++[eap] returns noop
...
You tried to use a regexp to parse the username (usually a mistake IMHO)
and put the domain bit into the
Also, here is the 'mschap' section from a recent attempt.
I don't see anything. Did you forget an attachment?
Um... yeah. I'm doing a couple of things at once. Here it is.
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap]
which you resolve by putting the right entries into proxy.conf
eg
col.missouri.edu {
strip
}
Do you mean:
realm col.missouri.edu {
strip
}
?
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the string printed by the server, and keep running it by
hand. Play with the various parameters until it works.
Then, configure
the server to run it with those parameters.
I dug through the debug output
this output does not match with what you claim to have been using.
please ensure that your ntlm_auth configuration is correct
and the right one is being called.
(this one in debug is looking at %{Stripped-User-Name} etc -
you claimed to be using %{mschap:User-Name}
That's a test that I
[mschap]expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -
--username=host/dnps-caplap-4.col.missouri.edu
That is not %{mschap:User-Name}. i.e. it's misconfigured
Actually, I tried it both ways, since the longer string shown above was the
default.
[mschap]
So, in /etc/raddb/modules/mschap, set (don't include the line
continuation \ I've added):
ntlm_auth = /path/to/ntlm_auth --request-nt-key \
--username=%{mschap:User-Name} --domain=YOURDOMAIN \
--challenge=... --nt-response=...
More good news (though expected): This change did not
McNutt, Justin M. wrote:
ntlm_auth --request-nt-key --username='dnps-caplap-4$'
--domain=col.missouri.edu --challenge=(pasted-from-debug)
--nt-response=(pasted-from-debug)
The result was: NT_KEY: (long hex string)
Exactly. Now that you know what works, the only problem
%{mschap:NT-Domain} is not a real variable; it's a dynamic expansion.
There's no attribute you can set, so you'll need to use another
attribute (see my other email)
Gotcha. I'm looking into that now (based on your other e-mail). That's very
likely do-able.
I think it should be a flag -
Disjoint namespace is the term used if you have DNS names for windows
active directory members which are anything other than:
samaccountname.AD domain
So, if you give your hosts DNS hostnames of:
samaccountname.dept.AD domain
...this is a disjoint namespace. This is a supported
I think you'll have to do that. The tedious bit is matching
the domains in the regexps.
My advice would be to define a local, internal-only attribute in
/etc/raddb/dictionary:
ATTRIBUTE My-NT-Domain3003string
Done.
...then in your ntlm_auth helper, do:
ntlm_auth =
Holy crap, it works! I spent some time un-doing as many of the other changes
as I could find (that is, anything that deviates from the default and isn't
shown below). So what follows should be everything needed to make this work.
STEP 1: CUSTOM ATTRIBUTE
=
My advice
Could you send us the output of radiusd -X for a computer auth?
Done. (See previous message with attachment.)
If it works for users it should just work for machines.
Perhaps under certain circumstances, but not for us, apparently. Perhaps it's
the significant difference between the
if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) {
Something's wrong with the regex here. From the config:
if ( User-Name =~ /^host\/([^\.]+)\.(\S+)$/i ) {
From radiusd -X:
User-Name = host/dnps-caplap-4.col.missouri.edu
...
? Evaluating (User-Name =~ /^host\/([^\.]+)\.(\S+)$/i) -
this stuff doesnt touch the User-Name - it just looks at it
and alters the servers proxy choosing behaviour which
is what makes it useful and powerful.
It's not doing it correctly yet. See previous message.
the language is 'unlang' - its a built in parser in
freeradius - making the
Proxy-To-Realm := %{2}
Proxy-To-Realm := %{2}
Yeah, I just figured that out. :/ Adjusting and re-testing.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
update control {
Proxy-To-Realm := %{2}
}
}
Part of my troubleshooting involved changing the code to this:
if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
27, 2011 1:51 PM
To: FreeRadius users mailing list
Subject: Re: New User and AD Question
McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD
computer-based
authentication. Basically, how is it accomplished?
http://deployingradius.com/documents
: 254-295-4658
Phax: 254-295-4221
-Original Message-
From:
freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius
.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.fr
eeradius.org] On Behalf Of McNutt, Justin M.
Sent: Sunday, February 27, 2011 2:05 PM
I don't have a modules/prefix file. I have a preprocess file, which is called
at the top of the authorize section of the campus-eap virtual server (this is
the default, I believe).
From the debug log, request 9:
server campus-eap {
+- entering group authorize {...}
++[preprocess] returns ok
I'll try it, but I've read it, and I don't see how this (from realm module):
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = \\
}
Is going to apply to this:
User-Name = host/doit-tcb-agl.col.missouri.edu
--J
-Original Message-
From:
Attempted and failed. Can authenticate users, but host authentication still
fails.
Uncommented ntdomain from both the authorize and preacct sections of
/etc/raddb/sites-available/campus-eap. Same behavior as before.
--J
-Original Message-
From:
Message -
From: McNutt, Justin M. [mailto:mcnu...@missouri.edu]
Sent: Monday, February 28, 2011 04:52 PM
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: RE: New User and AD Question
I'll try it, but I've read it, and I don't see how this (from
realm
ignore me. i'm tired. yes, this is a little bit of pain.
I understand. I wondered about that when I saw the ac.uk. You must be working
hours similar to mine. (That is, all of them.)
you'll be best off using a bit of unlang eg
(put this in the authorize section of your main virtual
# BOL, host, a slash, one or more non-dot characters, a dot,
# one or more non-whitespace chars, EOL.
if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) {
switch %{2} {
case 'my-domain-string-1' {
update control {
New member to the list, here. I have a question about AD computer-based
authentication. Basically, how is it accomplished?
I have Googled and Googled, but only found references to the fact that it *can*
be done (mostly from archives of this list), but little reference on HOW to do
it, other
McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD
computer-based
authentication. Basically, how is it accomplished?
http://deployingradius.com/documents/configuration/active_directory.html
It's pretty much the same as normal user authentication
61 matches
Mail list logo
