Hi all,
Could you please send the steps you followed to integrate Freeradius+Authentication.
thanks very much.
From: [EMAIL PROTECTED]
Reply-To: freeradius-users@lists.freeradius.org
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 25, Issue 2
Date: Tue, 01 May 2007 12:00:12 +0200
>Send Freeradius-Users mailing list submissions to
> freeradius-users@lists.freeradius.org
>
>To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
>or, via email, send a message with subject or body 'help' to
> [EMAIL PROTECTED]
>
>You can reach the person managing the list at
> [EMAIL PROTECTED]
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Freeradius-Users digest..."
>
>
>Today's Topics:
>
> 1. Re: FreeRadius+AD integration (shrikant Bhat)
> 2. Re: Freeradius Auth via LDAP against Active Directory Server
> 2003 (shrikant Bhat)
> 3. Re: Freeradius Auth via LDAP against Active Directory Server
> 2003 (Peter Nixon)
> 4. Help stuck on error: rlm_ldap: LDAP login failed: check
> identity, password settings in ldap section of radiusd.conf
> (shrikant Bhat)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Tue, 1 May 2007 09:07:06 +0530
>From: "shrikant Bhat" <[EMAIL PROTECTED]>
>Subject: Re: FreeRadius+AD integration
>To: "FreeRadius users mailing list"
> <freeradius-users@lists.freeradius.org>
>Message-ID:
> <[EMAIL PROTECTED]>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>Alan,
>My intention is not argue, since I coudnt understand the debug I
>posted the messege.
>
>On 4/30/07, Alan DeKok <[EMAIL PROTECTED]> wrote:
> > shrikant Bhat wrote:
> > > I dont have the user in Active directory, yet free radius sends a
> > > accept packet.
> >
> > I did read the debug output, unlike you. It shows why. I told you
> > why. Stop arguing and read the debug output again, and my responses.
> >
> > It's not FreeRADIUS. You have configured FreeRADIUS to reply with an
> > Access-Accept if the ntlm_auth module returns OK. For some reason, the
> > ntlm_auth is returning OK. Go find out why that's happening, and fix it.
> >
> > Do NOT reply with "but freeradius sends an access accept". That reply
> > indicates that you're not reading the messages here. If you're not
> > going to read the answers to your questions, I suggest you stop asking
> > the questions. You're wasting your time, and ours.
> >
> > Alan DeKok.
> > --
> > http://deployingradius.com - The web site of the book
> > http://deployingradius.com/blog/ - The blog
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
>
>------------------------------
>
>Message: 2
>Date: Tue, 1 May 2007 09:33:20 +0530
>From: "shrikant Bhat" <[EMAIL PROTECTED]>
>Subject: Re: Freeradius Auth via LDAP against Active Directory Server
> 2003
>To: "FreeRadius users mailing list"
> <freeradius-users@lists.freeradius.org>
>Message-ID:
> <[EMAIL PROTECTED]>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>Jacob,
>Could you please send the steps you followed to integrate ad with FR?.
>I am completely lost and confused with the information available on
>this .
>thanks,
>SB
>
>On 5/1/07, Jacob Jarick <[EMAIL PROTECTED]> wrote:
> > Thanks for the Tip ryan but I have been down that road and 2 reasons stopped me:
> >
> > 1 - no way of retrieving ldap groups
> > 2 - Been requested not to have samba on the machine.
> >
> > ntlm_auth was very straight forward for me because it supports all the
> > encryption methods.
> >
> > On 5/1/07, Ryan Kramer <[EMAIL PROTECTED]> wrote:
> > > depending on the wifi auth method, you may want to also investigate a
> > > NTLM_AUTH method instead of straight ldap. This requires the freeradius
> > > machine to be a member of the domain, but once you do that it works great.
> > >
> > >
> > >
> > >
> > > On 4/29/07, Jacob Jarick <[EMAIL PROTECTED]> wrote:
> > > > OK tried with 1.1.4 and yerp works great.
> > > >
> > > > radiusd -X output: http://pastebin.ca/464153
> > > > radiusd.conf: http://pastebin.ca/464156
> > > >
> > > > I also realised a mistake I have been making, see I want to search the
> > > > whole active directory, hence I kept setting my basedn without an ou.
> > > > After seeing your excellent example and auth'ing had failed I stuck in
> > > > an OU and tried a user from the OU and worked fine.
> > > >
> > > > So my questions is this, to auth people from multiple OU's do I create
> > > > a new ldap module for each OU or is their a simpler way.
> > > >
> > > > Thanks Very much for your help Phil, its been a very productive
> > > > weekend thanks to the info you provided.
> > > >
> > > > My challenge for monday will be setting up the cisco and wireless clients
> > > now :)
> > > >
> > > > On 4/29/07, Jacob Jarick <[EMAIL PROTECTED] > wrote:
> > > > > radiusd.conf: http://pastebin.ca/464133
> > > > > radius -X ouput: http://pastebin.ca/464138
> > > > >
> > > > > Tried with 1.1.6 and fails with this error:
> > > > >
> > > > > rlm_ldap: reading ldap<->radius mappings from file
> > > /etc/raddb/ldap.attrmap
> > > > > rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed
> > > > > rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap
> > > failed
> > > > > radiusd.conf[540]: ldap: Module instantiation failed.
> > > > > radiusd.conf[586] Unknown module "ldap".
> > > > > radiusd.conf[586] Failed to parse "ldap" entry.
> > > > > -----------------------------
> > > > > /etc/raddb/ldap.attrmap does exist as provided by the rpm.
> > > > >
> > > > > [EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap
> > > > > -rw-r----- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap
> > > > >
> > > > > I assume the permissions are correct, as it was installed by rpm. Im
> > > > > building the 1.1.4 rpm now, will report back once done.
> > > > >
> > > > > On 4/29/07, Jacob Jarick <[EMAIL PROTECTED]> wrote:
> > > > > > Thanks for the very detailed instructions.
> > > > > >
> > > > > > I will attempt this shortly (bought rad & ad servers home for weekend
> > > study).
> > > > > >
> > > > > > Quite possible the biggest learning curve for me is the ldap fields
> > > > > > but I am finally starting to get familar with them.
> > > > > >
> > > > > > Cheers again, will post back once Ive run the radtest.
> > > > > >
> > > > > > On 4/28/07, Phil Mayers <[EMAIL PROTECTED]> wrote:
> > > > > > > I haven't been following your (quite extensive) queries, so
> > > apologies if
> > > > > > > I've missed something fundamental.
> > > > > > >
> > > > > > > I honestly don't know why this is proving so difficult. I've just
> > > tested
> > > > > > > this against our own 2k3 AD service, and although I'm pretty
> > > familiar
> > > > > > > with FR it took under 5 minutes. Try following the instructions
> > > below.
> > > > > > > These were tested with FreeRadius 1.1.4
> > > > > > >
> > > > > > > 1. First, create or locate an existing account which FreeRadius can
> > > bind
> > > > > > > and do it's searches as. Record the following variables:
> > > > > > >
> > > > > > > SEARCHDN=<the DN of the account>
> > > > > > > SEARCHPW=<the password>
> > > > > > > BASEDN=<the DN below which all your accounts live in AD>
> > > > > > > ADHOST=<hostname of the AD controller you'll search against>
> > > > > > >
> > > > > > > For example, these might be:
> > > > > > >
> > > > > > > SEARCHDN=CN=freeradius,OU=Users,OU=My
> > > Site,DC=mysite,DC=com
> > > > > > > SEARCHPW=blahblah
> > > > > > > BASEDN=OU=My Site,DC=mysite,DC=com
> > > > > > >
> > > > > > > 2. Next, take the default "radiusd.conf"
> > > > > > >
> > > > > > > 3. Find the start of the modules section:
> > > > > > >
> > > > > > > modules {
> > > > > > > ...
> > > > > > >
> > > > > > > Delete this line and all the following lines
> > > > > > >
> > > > > > > 4. Insert the following config:
> > > > > > >
> > > > > > > modules {
> > > > > > > ldap {
> > > > > > > server = "$ADHOST"
> > > > > > > identity = "$SEARCHDN"
> > > > > > > password = "$SEARCHPW"
> > > > > > >
> > > > > > > basedn = "$BASEDN"
> > > > > > > filter =
> > > "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
> > > > > > >
> > > > > > > dictionary_mapping = ${raddbdir}/ldap.attrmap
> > > > > > >
> > > > > > > ldap_connections_number = 5
> > > > > > > timeout = 4
> > > > > > > timelimit = 3
> > > > > > > net_timeout = 1
> > > > > > > }
> > > > > > >
> > > > > > > preprocess {
> > > > > > > huntgroups = ${confdir}/huntgroups
> > > > > > > hints = ${confdir}/hints
> > > > > > >
> > > > > > > with_ascend_hack = no
> > > > > > > ascend_channels_per_line = 23
> > > > > > >
> > > > > > > with_ntdomain_hack = no
> > > > > > > with_specialix_jetstream_hack = no
> > > > > > > with_cisco_vsa_hack = no
> > > > > > > }
> > > > > > >
> > > > > > > detail {
> > > > > > > detailfile =
> > > ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
> > > > > > > detailperm = 0644
> > > > > > > }
> > > > > > >
> > > > > > > }
> > > > > > >
> > > > > > > instantiate {
> > > > > > > }
> > > > > > >
> > > > > > > authorize {
> > > > > > > preprocess
> > > > > > >
> > > > > > > ldap
> > > > > > > }
> > > > > > >
> > > > > > > authenticate {
> > > > > > > Auth-Type LDAP {
> > > > > > > ldap
> > > > > > > }
> > > > > > > }
> > > > > > >
> > > > > > >
> > > > > > > preacct {
> > > > > > > preprocess
> > > > > > > }
> > > > > > >
> > > > > > > accounting {
> > > > > > > detail
> > > > > > > }
> > > > > > >
> > > > > > >
> > > > > > > session {
> > > > > > > }
> > > > > > >
> > > > > > > post-auth {
> > > > > > > }
> > > > > > >
> > > > > > > pre-proxy {
> > > > > > > }
> > > > > > >
> > > > > > > post-proxy {
> > > > > > > }
> > > > > > >
> > > > > > > 5. Start the server with -X
> > > > > > >
> > > > > > > 6. Run "radtest" to send a checking PAP request
> > > > > > >
> > > > > > > It should work.
> > > > > > >
> > > > > > > The above config is the ABSOLUTE BARE MINIMUM server config which
> > > will
> > > > > > > check PAP requests ONLY against an AD LDAP server. I do NOT
> > > recommend
> > > > > > > you go into service with this config. Try to look at it, understand
> > > how
> > > > > > > it's doing what it's doing, *then* start again with the default
> > > > > > > FreeRadius config and make the absolute minimum changes to get back
> > > to
> > > > > > > that point.
> > > > > > > -
> > > > > > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > > > > > >
> > > > > >
> > > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > > >
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
>
>------------------------------
>
>Message: 3
>Date: Tue, 1 May 2007 10:36:10 +0300
>From: Peter Nixon <[EMAIL PROTECTED]>
>Subject: Re: Freeradius Auth via LDAP against Active Directory Server
> 2003
>To: freeradius-users@lists.freeradius.org, Jacob Jarick
> <[EMAIL PROTECTED]>
>Message-ID: <[EMAIL PROTECTED]>
>Content-Type: text/plain; charset="iso-8859-1"
>
>On Tue 01 May 2007, shrikant Bhat wrote:
> > Jacob,
> > Could you please send the steps you followed to integrate ad with FR?.
> > I am completely lost and confused with the information available on
> > this .
>
>Hi Jacob
>
>If you plan on documenting the steps that you took, can I respectfully
>request that you do so by either updating one of the existing HOWTOs, or
>creating a new one on our wiki at:
>
>http://wiki.freeradius.org/HOWTO
>
>Cheers
>--
>
>Peter Nixon
>http://www.peternixon.net/
>PGP Key: http://www.peternixon.net/public.asc
>
>
>------------------------------
>
>Message: 4
>Date: Tue, 1 May 2007 15:04:56 +0530
>From: "shrikant Bhat" <[EMAIL PROTECTED]>
>Subject: Help stuck on error: rlm_ldap: LDAP login failed: check
> identity, password settings in ldap section of radiusd.conf
>To: "FreeRadius users mailing list"
> <freeradius-users@lists.freeradius.org>
>Message-ID:
> <[EMAIL PROTECTED]>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>How did u resolve this issue?
>thanks
>SB
>
>
>------------------------------
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>End of Freeradius-Users Digest, Vol 25, Issue 2
>***********************************************
¿Cuánto vale tu auto? Tips para mantener tu carro. ¡De todo en MSN Latino Autos! Clic aquí
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
