Re: Major noob question about freeradius
On Mon, Jan 18, 2010 at 11:29 AM, wrote: > At 02:01 PM 1/18/2010, Eric Swanson wrote: > >> On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone <> bryan-bo...@msn.com>bryan-bo...@msn.com> wrote: >> For me the simplest solution to solve this would be a windows 2003 server >> domain controller. Unfortunately due to some corporate restrictions I >> cannot install a windows server. >> >> >> If you can't set up a Windows server to do this job, the best way to meet >> this need is to run Samba on a Linux machine. If you run it in domain >> control mode, it'll act very much like a Windows server for the purposes >> you're talking about. >> > > > If there's a corporate restriction on installing a windows server, setting > up a linux server to behave just like a windows server might also be a > problem. and indeed if it's one the same network, you'll really need to get > things right so that it doesn't screw anything up (such as becoming the > master browser). > Indeed. Just for the sake of clarity let me break it down one more notch: - If the policy that prevents you from installing a Windows server is something like a company-wide prohibition on using closed-source software, or on spending licensing money with Microsoft, and if your network stands on its own -- then Samba is probably a great approach. Good luck. - If, as Rick suggests, the policy comes from something like a central IT department that requires you to stay out of their realm of authority, then you've got a whole mess of constraints to navigate. Good luck. Speaking for myself, I'd say the pGina approach noted above by Josip makes sense only if you've already got RADIUS infrastructure. If you're building something from scratch, Samba is a much better fit, but if pGina lets you use existing RADIUS-centric stuff you just might be well-advised to go that way. > Just be sure first :-) > Indeed. Also, note that this is off-topic for the list. E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing & Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone wrote: > I have a small network of about 10 windows XP machines. I need to set > these machines up so that my users can log into any of these machines. > > For me the simplest solution to solve this would be a windows 2003 server > domain controller. Unfortunately due to some corporate restrictions I > cannot install a windows server. > > I was told that a Radius server could accomplish the same thing for me. Is > this true? > Bryan: I'm not the ultimate FreeRADIUS authority, but I think you'll find RADIUS is a poor solution for this, if indeed a solution at all. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. Check out http://samba.org/ for details on Samba. And for what it's worth I would lean toward using CentOS as the core platform (of course opinions vary on this point). The book "Samba-3 by Example" gives an excellent guide to the setup if you need one. It's available online at http://www.samba.org/samba/docs/man/Samba-Guide/ Good luck! E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing & Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP/SSHA plus MS-CHAP on 2.17
On Thu, Jan 14, 2010 at 1:29 AM, Alan DeKok wrote: > *something* is either adding a crypt'd password, or is > forcing the PAP module to use the crypt'd password. > > Maybe the "unix" module? Good guess! I disabled the "unix" module from authentication and authorization, and everything looks great. As it happens, the system has picked one of the NT passwords to check, but as long as it works I'm fine. Thanks so much for your timely assistance. E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing & Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP/SSHA plus MS-CHAP on 2.17
On Thu, Jan 14, 2010 at 12:18 AM, Eric Swanson wrote: > There's not much to the rest of my PAP-related configuration. ...and just for the record, I've just grepped through my whole /etc/raddb folder. The only other non-commented mentions of PAP are in eap.conf, sites-available/inner-tunnel, and modules/inner-eap -- none of which has been modified from the standard distributed file. Thanks again, E. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP/SSHA plus MS-CHAP on 2.17
On Wed, Jan 13, 2010 at 10:48 PM, Alan DeKok wrote: > Eric Swanson wrote: >> ... >> [ldap] Added User-Password = {SSHA}i9--censored--JI in check items >> [ldap] looking for check items in directory... >> rlm_ldap: sambaNtPassword -> NT-Password == 0x4338--censored--4531 >> rlm_ldap: sambaLmPassword -> LM-Password == 0x4637--censored--4545 > > You have 3 versions of the "known good" password for the user. Which > one do you want to use? Alan: Thanks so much for getting back to me. My intent is to use the SSHA password -- of the ones my LDAP system must maintain, I assumed it would be the most straightforward (better than those Windows ones anyway). >> [pap] Using CRYPT encryption. > > And the "pap" module isn't configured to use any of them. > >> The part that seems strange to me is that the system clearly >> identifies the type of passwords we are using ("Normalizing >> SSHA1-Password from base64 encoding" seems proof enough of that), but >> a couple lines later PAP has decided to use CRYPT encryption for some >> reason. I can't imagine what I've done to make the system believe it >> should use CRYPT instead of SSHA. > > Check the configuration of the PAP module. Here's my modules/pap in its entirety: pap { auto_header = yes } I haven't found any information on other (non-deprecated) directives that go in this file. If there's a way to tell PAP to use the SSHA password, I would _love_ to hear it. There's not much to the rest of my PAP-related configuration. In sites-available/default under the authorization section, PAP is listed last, just like this: pap In sites-available/default under the authentication section, PAP is listed first like this: Auth-Type PAP { pap } I'm excited about your note's implication that there's a way to tell PAP which password to use. If that's really true, I think all I need is to be pointed to information about how to do so. Thankx, E. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP/SSHA plus MS-CHAP on 2.17
Y'all: Maybe this question obvious for somebody, but I haven't been able to find an answer so far. I'd appreciate any help on this. I'm setting up freeradius 2.17 with OpenLDAP on CentOS 5.3 (using the pre-built RPM repository from http://people.redhat.com/jdennis/freeradius-rhel-centos). The system need to authenticate at least two different ways by RADIUS (plus several others by LDAP, but that's all working fine). Currently one is working and the other is not. I've worked with freeradius/LDAP setups before, but it's been a couple years since I last did it from scratch. One client needs to talk MS-CHAP, and that's working great. If it matters I'm happy to post logs of these sessions happening, but I presume that's irrelevant. The other client needs to talk PAP, and it's not working right at all. In keeping with the frequent advice of this group, I've kept the config files as pristine as I can. Here are all the changes I've made since I last reverted to the default files: [/etc/raddb]# diff ./sites-available/default.DIST ./sites-available/default 170c170 < # ldap --- > ldap [/etc/raddb]# diff ./modules/ldap.DIST ./modules/ldap 33c33 < server = "ldap.your.domain" --- > server = ".org" 36c36 < basedn = "o=My Org,c=UA" --- > basedn = "dc=my,dc=office,dc=org" 116c116 < # password_attribute = userPassword --- > password_attribute = userPassword [/etc/raddb]# diff ./modules/pap.DIST ./modules/pap 17c17 < auto_header = no --- > auto_header = yes [/etc/raddb]# diff ./clients.conf.DIST ./clients.conf 101c101 < secret = testing123 --- > secret = SharedSecret 234a235,240 > > client 172.16.0.0/24 { > secret = SharedSecret > shortname = office-network > } > [/etc/raddb]# In fiddling over the past few days I've achieved several different failure modes, but here's what a session looks like now: rad_recv: Access-Request packet from host 172.16.0.1 port 1078, id=36, length=82 User-Name = "testuser" User-Password = "user" Service-Type = Authenticate-Only NAS-Identifier = "VPNSRV" Message-Authenticator = 0x8e--censored--db +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated ++[files] returns noop [ldap] performing user authorization for testuser [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> testuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=testuser) [ldap] expand: dc=my,dc=office,dc=org -> dc=my,dc=office,dc=org rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to muggins.my.office.org:389, authentication 0 rlm_ldap: bind as / to muggins.my.office.org:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=my,dc=office,dc=org, with filter (uid=testuser) [ldap] Added User-Password = {SSHA}i9--censored--JI in check items [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x4338--censored--4531 rlm_ldap: sambaLmPassword -> LM-Password == 0x4637--censored--4545 [ldap] looking for reply items in directory... [ldap] user testuser authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Normalizing SSHA1-Password from base64 encoding ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "user" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 36 to 172.16.0.1 port 1078 Waking up in 4.9 seconds. The part that seems strange to me is that the system clearly identifies the type of passwords we are using ("Normalizing SSHA1-Password from base64 encoding" seems proof enough of that), but a couple lines later PAP has decided to use CRYPT encryption for some reason. I can't imagine what I've done to make the system believe it should use CRYPT instead of SSHA. I've been developing a range of crazy theories as to what might be going on, but I think it's time for me to see what y'all have to say. Thanks in advance for any guidance