On 03/01/2011 05:25 PM, McNutt, Justin M. wrote:
Now it matches, but something about the regex is still wrong (mainly,
the multi-character captures) because it's not expanding correctly.
Short version:
These look like MS-CHAP machine-auth usernames; have you considered using:
These look like MS-CHAP machine-auth usernames; have you
considered using:
%{mschap:User-Name}
%{mschap:NT-Domain}
The mschap module has special handling for host/ names, and
these will
expand:
host/name.domain.com
to:
name$
domain.com
The trailing dollar sign on the
McNutt, Justin M. wrote:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Note use of %{mschap:User-Name} and %{mschap:NT-Domain}. Despite this,
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the string printed by the server, and keep running it by
hand. Play with the various parameters until it works. Then, configure
the server to run it with those parameters.
I haven't, partly because it works
On 02/03/11 12:09, McNutt, Justin M. wrote:
These look like MS-CHAP machine-auth usernames; have you considered
using:
%{mschap:User-Name} %{mschap:NT-Domain}
The mschap module has special handling for host/ names, and these
will expand:
host/name.domain.com
to:
name$ domain.com
The
Note use of %{mschap:User-Name} and
%{mschap:NT-Domain}. Despite this, host/computer.domain
login attempts always fail. Hence, trying to do the
translation manually via a regex and update clauses.
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the
On 02/03/11 12:32, McNutt, Justin M. wrote:
Note use of %{mschap:User-Name} and
%{mschap:NT-Domain}. Despite this, host/computer.domain
login attempts always fail. Hence, trying to do the
translation manually via a regex and update clauses.
And what happens when you try to run ntlm_auth
In the most recent debug I see you posted (16:36 yesterday)
it's failing
because:
[eap] Request is supposed to be proxied to Realm $2. Not doing EAP.
++[eap] returns noop
...
You tried to use a regexp to parse the username (usually a mistake IMHO)
and put the domain bit into the
Also, here is the 'mschap' section from a recent attempt.
I don't see anything. Did you forget an attachment?
Um... yeah. I'm doing a couple of things at once. Here it is.
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap]
Hi,
You tried to use a regexp to parse the username (usually a mistake IMHO)
and put the domain bit into the Proxy-To-Realm attribute but
Proxy-To-Realm instructs the server to do just that - which cancels
local authentiction.
which you resolve by putting the right entries into proxy.conf
which you resolve by putting the right entries into proxy.conf
eg
col.missouri.edu {
strip
}
Do you mean:
realm col.missouri.edu {
strip
}
?
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 02/03/11 12:51, Alan Buxey wrote:
Hi,
You tried to use a regexp to parse the username (usually a mistake IMHO)
and put the domain bit into the Proxy-To-Realm attribute but
Proxy-To-Realm instructs the server to do just that - which cancels
local authentiction.
which you resolve by putting
On 02/03/11 12:41, McNutt, Justin M. wrote:
Also, here is the 'mschap' section from a recent attempt.
I don't see anything. Did you forget an attachment?
Um... yeah. I'm doing a couple of things at once. Here it is.
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request
Hi,
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for host/dnps-caplap-4.col.missouri.edu with
NT-Password
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the string printed by the server, and keep running it by
hand. Play with the various parameters until it works.
Then, configure
the server to run it with those parameters.
I dug through the debug output
this output does not match with what you claim to have been using.
please ensure that your ntlm_auth configuration is correct
and the right one is being called.
(this one in debug is looking at %{Stripped-User-Name} etc -
you claimed to be using %{mschap:User-Name}
That's a test that I
[mschap]expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -
--username=host/dnps-caplap-4.col.missouri.edu
That is not %{mschap:User-Name}. i.e. it's misconfigured
Actually, I tried it both ways, since the longer string shown above was the
default.
[mschap]
So, in /etc/raddb/modules/mschap, set (don't include the line
continuation \ I've added):
ntlm_auth = /path/to/ntlm_auth --request-nt-key \
--username=%{mschap:User-Name} --domain=YOURDOMAIN \
--challenge=... --nt-response=...
More good news (though expected): This change did not
McNutt, Justin M. wrote:
ntlm_auth --request-nt-key --username='dnps-caplap-4$'
--domain=col.missouri.edu --challenge=(pasted-from-debug)
--nt-response=(pasted-from-debug)
The result was: NT_KEY: (long hex string)
Exactly. Now that you know what works, the only problem is creating a
McNutt, Justin M. wrote:
ntlm_auth --request-nt-key --username='dnps-caplap-4$'
--domain=col.missouri.edu --challenge=(pasted-from-debug)
--nt-response=(pasted-from-debug)
The result was: NT_KEY: (long hex string)
Exactly. Now that you know what works, the only problem is
Login OK: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port
573 cli 00-90-4B-2F-80-B4)
+- entering group post-auth {...}
++[exec] returns noop
} # server campus-eap
Sending Access-Accept of id 179 to 128.206.131.253 port 20009
Cool.
Bad news:
I have a multi-domain
%{mschap:NT-Domain} is not a real variable; it's a dynamic expansion.
There's no attribute you can set, so you'll need to use another
attribute (see my other email)
Gotcha. I'm looking into that now (based on your other e-mail). That's very
likely do-able.
I think it should be a flag -
On 02/03/11 17:11, McNutt, Justin M. wrote:
%{mschap:NT-Domain} is not a real variable; it's a dynamic
expansion. There's no attribute you can set, so you'll need to
use another attribute (see my other email)
Gotcha. I'm looking into that now (based on your other e-mail).
That's very likely
Disjoint namespace is the term used if you have DNS names for windows
active directory members which are anything other than:
samaccountname.AD domain
So, if you give your hosts DNS hostnames of:
samaccountname.dept.AD domain
...this is a disjoint namespace. This is a supported
Hi,
That is brilliant! We are going to deploy a second domain this summer, I
was wondering exactly how I would make our FR server work with both. I am
definitely going to give this a try!
we just use the failover method. have 2 copies of the mschap
module - each with labels to mark
I think you'll have to do that. The tedious bit is matching
the domains in the regexps.
My advice would be to define a local, internal-only attribute in
/etc/raddb/dictionary:
ATTRIBUTE My-NT-Domain3003string
Done.
...then in your ntlm_auth helper, do:
ntlm_auth =
Holy crap, it works! I spent some time un-doing as many of the other changes
as I could find (that is, anything that deviates from the default and isn't
shown below). So what follows should be everything needed to make this work.
STEP 1: CUSTOM ATTRIBUTE
=
My advice
Hi,
I took this code and modified it, assuming that if the code I wrote before
(which tries to use COL.MISSOURI.EDU as the realm) doesn't work, I can use
the code above to take FOO.MISSOURI.EDU and proxy to the NT domain FOO-USERS,
which is more than just massaging the User-Name field.
Could you send us the output of radiusd -X for a computer auth?
Done. (See previous message with attachment.)
If it works for users it should just work for machines.
Perhaps under certain circumstances, but not for us, apparently. Perhaps it's
the significant difference between the
if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) {
Something's wrong with the regex here. From the config:
if ( User-Name =~ /^host\/([^\.]+)\.(\S+)$/i ) {
From radiusd -X:
User-Name = host/dnps-caplap-4.col.missouri.edu
...
? Evaluating (User-Name =~ /^host\/([^\.]+)\.(\S+)$/i) -
this stuff doesnt touch the User-Name - it just looks at it
and alters the servers proxy choosing behaviour which
is what makes it useful and powerful.
It's not doing it correctly yet. See previous message.
the language is 'unlang' - its a built in parser in
freeradius - making the
Hi,
if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
update control {
Proxy-To-Realm := %{2}
}
}
if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
update control {
Proxy-To-Realm := %{2}
Proxy-To-Realm := %{2}
Yeah, I just figured that out. :/ Adjusting and re-testing.
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
update control {
Proxy-To-Realm := %{2}
}
}
Part of my troubleshooting involved changing the code to this:
if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {
27, 2011 1:51 PM
To: FreeRadius users mailing list
Subject: Re: New User and AD Question
McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD
computer-based
authentication. Basically, how is it accomplished?
http://deployingradius.com/documents
To: FreeRadius users mailing list
Subject: RE: New User and AD Question
Two comments about posting logs ...
#1 Post the entire log of radiusd -X (NOT -XX, that has a
bunch of timestamps we don't need) and don't redact anything
that's not privileged info, you can very easily remove
Hi,
Should I post the debug log here, or a pastebin, or...?
quick answer? post it here
want to wait until someone can be bothered to go to some random web page?
pastebin
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Removing the shared secrets, LDAP user passwords, etc. was the redacting I
was talking about. That, and removing the thousands of messages related to
other users' auth attempts, if I had had to do this on a production server.
you can use radmin do get a full debug of a single client/NAS
hi,
in your campus-eap virtual server you are not making a call to
eg the prefix module (put straight after the preprocess module)
ie
preprocess
suffix
ntdomain
do this in the authorization and preacct sections to handle these better
alan
-
List info/subscribe/unsubscribe? See
+mcnuttj=missouri@lists.fr
eeradius.org] On Behalf Of Alan Buxey
Sent: Monday, February 28, 2011 3:16 PM
To: FreeRadius users mailing list
Subject: Re: New User and AD Question
hi,
in your campus-eap virtual server you are not making a call to
eg the prefix module (put straight after
Hi,
I don't have a modules/prefix file. I have a preprocess file, which is
called at the top of the authorize section of the campus-eap virtual server
(this is the default, I believe).
just add ntdomain as i said
read the realm module for description about fall through
alan
-
List
:
freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius
.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr
eeradius.org] On Behalf Of Alan Buxey
Sent: Monday, February 28, 2011 4:42 PM
To: FreeRadius users mailing list
Subject: Re: New User and AD Question
Hi,
I don't
freeradius-users@lists.freeradius.org
Subject: RE: New User and AD Question
I'll try it, but I've read it, and I don't see how this (from realm module):
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = \\
}
Is going to apply to this:
User-Name = host/doit-tcb
=missouri.edu@lists.freeradius
.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr
eeradius.org] On Behalf Of Alan Buxey
Sent: Monday, February 28, 2011 4:42 PM
To: FreeRadius users mailing list
Subject: Re: New User and AD Question
Hi,
I don't have a modules/prefix file
Gatten
Sent: Monday, February 28, 2011 5:34 PM
To: 'freeradius-users@lists.freeradius.org'
Subject: Re: New User and AD Question: OT hijack
First, is your last name really McNutt? And, have you ever
been by the house near MU that has camels and zebras in the
front yard?
- Original
Hi,
I'll try it, but I've read it, and I don't see how this (from realm module):
#
# 'domain\user'
#
realm ntdomain {
format = prefix
delimiter = \\
}
Is going to apply to this:
User-Name = host/doit-tcb-agl.col.missouri.edu
ignore me. i'm tired. yes, this
Ha, sweet...
- Original Message -
From: McNutt, Justin M. [mailto:mcnu...@missouri.edu]
Sent: Monday, February 28, 2011 05:53 PM
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: RE: New User and AD Question: OT hijack
Yes, and no, respectively. My wife
ignore me. i'm tired. yes, this is a little bit of pain.
I understand. I wondered about that when I saw the ac.uk. You must be working
hours similar to mine. (That is, all of them.)
you'll be best off using a bit of unlang eg
(put this in the authorize section of your main virtual
That looks like Perl. Perl, I can deal with. I do have multiple domains to
attack. If I can come up with something generic that works for at least two
domains, I'll post it here. Looks predictable enough. I'm thinking along
the lines of something like this:
# BOL, host, a slash,
# BOL, host, a slash, one or more non-dot characters, a dot,
# one or more non-whitespace chars, EOL.
if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) {
switch %{2} {
case 'my-domain-string-1' {
update control {
On 27/02/2011 18:08, McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD computer-based
authentication. Basically, how is it accomplished?
I have Googled and Googled, but only found references to the fact that it
*can* be done (mostly from archives of this list),
New member to the list, here. I have a question about AD computer-based
authentication. Basically, how is it accomplished?
I have Googled and Googled, but only found references to the fact that it *can*
be done (mostly from archives of this list), but little reference on HOW to do
it, other
McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD computer-based
authentication. Basically, how is it accomplished?
http://deployingradius.com/documents/configuration/active_directory.html
It's pretty much the same as normal user authentication. PEAP goes
McNutt, Justin M. wrote:
New member to the list, here. I have a question about AD
computer-based
authentication. Basically, how is it accomplished?
http://deployingradius.com/documents/configuration/active_directory.html
It's pretty much the same as normal user authentication.
-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On
Behalf Of McNutt, Justin M.
Sent: Sunday, February 27, 2011 2:05 PM
To: FreeRadius users mailing list
Subject: RE: New User and AD Question
McNutt, Justin M. wrote:
New
55 matches
Mail list logo