ola,
estou a meses tentando resolver e fazer graannnnddeee projeto que é
seguinte:
Um lab com um AD ( dominio TIMLIG.COM );
freeradius com todos os modulos e rodando 100% para testes locais;
alguns Swithes e roteadores cisco para teste;
implementar certificacao digital em cima da autenticacao LDAP;
a ideia é: um usuario entra com as credenciais no equipamento cisco e
o radius consulta a base de dados do Active directory da empresa e
libera o acesso.
a consulta do radius ao AD feita, ele consegue ''logar-se'' no
servidor, mas na hora de fazer a busca pelo usuario ele falha, e nao
consigo colocar o TLS nem gerar o certificado.
ja consultei quase todo tipo de HOWTO, tutorial, wiki e coisa do tipo,
mas nenhum me ajuda nessa situacao..
a configuracao nos cisco estao ok, pois ja consegui autenticar com
base de dados Mysql, tenho documentado, quem quizer so falar..
me ajudem!!
saida do radius:
rad_recv: Access-Request packet from host 127.0.0.1:44855, id=183,
length=64
User-Name = "robson.gomes"
User-Password = "O\025\214\020\326a\026c\252\276\020Q\016gi
\332"
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module "preprocess" returns ok for request 9
modcall[authorize]: module "chap" returns noop for request 9
modcall[authorize]: module "mschap" returns noop for request 9
rlm_realm: No '@' in User-Name = "robson.gomes", looking up realm
NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 9
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 9
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 217
modcall[authorize]: module "files" returns ok for request 9
rlm_ldap: - authorize
rlm_ldap: performing user authorization for robson.gomes
radius_xlat: '(uid=robson.gomes)'
radius_xlat: 'dc=timlig,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to lab-timlig.timlig.com:389, authentication 0
rlm_ldap: bind as /Intelig23 to lab-timlig.timlig.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=timlig,dc=com, with filter
(uid=robson.gomes)
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns fail for request 9
modcall: leaving group authorize (returns fail) for request 9
Finished request 9
no radiusd.conf
la no modules......
ldap {
server = "lab-timlig.timlig.com"
# identity = "cn=radius,ou=timlig,ou=com"
password = Intelig23
# port = 636
basedn = "dc=timlig,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-
Name}})"
# base_filter = "(objectclass=radiusprofile)"
}
authorize {
preprocess
# auth_log
# attr_filter
chap
mschap
# digest
# IPASS
suffix
# ntdomain
eap
files
# sql
# etc_smbpasswd
ldap
# daily
# checkval
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# digest
# pam
unix
Auth-Type LDAP {
ldap
}
eap
}
no users
DEFAULT Auth-Type := LDAP
nos equipamentos cisco:
aaa authentication banner # Roteador XXXXX #
aaa authentication login default group radius local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa session-id common
ip subnet-zero
radius-server host 10.3.6.167 auth-port 1812 acct-port 1813 Router
(config)# radius-server key cisco
Radius-server host é o ip do servidor radius, no caso 10.3.6.167, NAS
autenticando nas portas 1812 e 1813 e key cisco, a senha configurada
no clients.conf
--~--~---------~--~----~------------~-------~--~----~
GUS-BR - Grupo de Usuários de Slackware Brasil
http://www.slackwarebrasil.org/
http://groups.google.com/group/slack-users-br
Antes de perguntar:
http://www.istf.com.br/perguntas/
Para sair da lista envie um e-mail para:
[email protected]
-~----------~----~----~----~------~----~------~--~---
