I have a question about peap method, do I need to import the client
certificate from the freeradius' CA server to the winxp client?or just
import the server certificate?
2005/11/27, Alhagie Puye <[EMAIL PROTECTED]>:
> Thanks Dusty. That's very helpful.
>
> I have one little problem. I was hoping someone can shed some light on
> it.
>
> For the Active Directory security, I need to specify the username as
> "Domain\user" instead of just "user" for the identity in radiusd.conf
>
> "[EMAIL PROTECTED]" doesn't seem to work.
>
> Here is the output:
>
> rad_recv: Access-Request packet from host 192.168.42.1:50667, id=146,
> length=57
> User-Name = "user"
> User-Password = "password"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 1
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 4
> modcall[authorize]: module "preprocess" returns ok for request 4
> modcall[authorize]: module "chap" returns noop for request 4
> modcall[authorize]: module "mschap" returns noop for request 4
> rlm_realm: No '@' in User-Name = "apuye", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 4
> rlm_eap: No EAP-Message, not doing EAP
> modcall[authorize]: module "eap" returns noop for request 4
> users: Matched entry DEFAULT at line 153
> modcall[authorize]: module "files" returns ok for request 4
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for apuye
> radius_xlat: '(uid=apuye)'
> radius_xlat: 'dc=ad,dc=puyenet,dc=com'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to orion.puyenet.com:389, authentication 0
> rlm_ldap: bind as
> [EMAIL PROTECTED],ou=users,dc=ad,dc=puyenet,dc=com/password to
> orion.puyenet.com:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: LDAP login failed: check identity, password settings in ldap
> section of radiusd.conf
> rlm_ldap: (re)connection attempt failed
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns fail for request 4
> modcall: group authorize returns fail for request 4
> Finished request 4
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 4 ID 146 with timestamp 4388ab87
> Nothing to do. Sleeping until we see a request.
>
> The radiusd.conf file looks like this for the ldap section:
> ldap {
> server = "orion.puyenet.com"
> # identity = "cn=admin,o=My Org,c=UA"
> identity =
> "[EMAIL PROTECTED],ou=users,dc=ad,dc=puyenet,dc=com"
> password = password
> #basedn = "o=My Org,c=UA"
> basedn = "dc=ad,dc=puyenet,dc=com"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> # base_filter = "(objectclass=radiusprofile)"
>
>
> Thanks in advance.
>
> Alhagie Puye - Network Engineer
> Datawave Group of Companies
> (604)295-1817
>
> > >-----Original Message-----
> > >From: [EMAIL PROTECTED]
> > >[mailto:[EMAIL PROTECTED] On
> > >Behalf Of Dusty Doris
> > >Sent: November 25, 2005 9:43 AM
> > >To: FreeRadius users mailing list
> > >Subject: RE: Freeradius How to integrate Active
> > >Directory[ADIntegrationWindowsXP NTLM Tutorial]
> > >
> > >
> > >> So, the question again is if the VPN Concentrator is only sending
> > >> username and password, do I need ntml_auth or ms-chap? FreeRADIUS
> > >> doesn't have any usernames and password and will query Active
> > >> Directory for the actual authentication.
> > >>
> > >> Thanks,
> > >>
> > >
> > >If the packet is merely containing plaintext username and
> > >password, then you can probably just use rlm_ldap against AD
> > >and hit it directly. Just need to setup a user with read
> > >access to the directory to do the initial bind with and
> > >search of the user for authorization. Then the user will be
> > >authenticated by doing a bind against AD with the
> > >username/password in the packet.
> > >
> > >BTW - I use freeradius w/ ldap for cisco VPN concentrators
> > >as well, although its openldap instead of AD. To pass back
> > >the class attribute, you must modify ldap.attrmap and
> > >specify the reply item of Class to match what you call it in
> > >the directory.
> > >
> > >eg:
> > >
> > >replyItem Class radiusClass
> > >
> > >Then in the directory, you have
> > >
> > >dn: cn=someuser,...
> > >...
> > >radiusClass: "OU=myvpngroup;"
> > >
> > >So, for AD, you'll need to extend the schema and add an
> > >attribute for this. Or if you already have something that
> > >you can use, just modify ldap.attrmap to know what it is.
> > >
> > >-Dusty Doris
> > >-
> > >List info/subscribe/unsubscribe? See
> > >http://www.freeradius.org/list/users.html
> > >
>
>
> Disclaimer: This message (including any attachments) is confidential, may be
> privileged and is only intended for the person to whom it is addressed. If
> you have received it by mistake please notify the sender by return e-mail and
> delete this message from your system. Any unauthorized use or dissemination
> of this message in whole or in part is strictly prohibited. E-mail
> communications are inherently vulnerable to interception by unauthorized
> parties and are susceptible to change. We will use alternate communication
> means upon request.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
He is nothing
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
