Re: Autz-Type examples and parse error
Hi Alan, Thanks for the help! This works well and lessens the confusion on my part. I do have one question. When using ldap as the authorization module the Auth-Type gets set properly to siteone_ldap. But if I try using ntlm_auth then the Auth-Type is not set even though ntlm_auth returns OK. rad_recv: Access-Request packet from host 127.0.0.1 port 38806, id=14, length=63 User-Name = SITEONE\\hhoffman User-Password = password NAS-IP-Address = 127.0.0.1 NAS-Port = 1812 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = SITEONE\hhoffman, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] Looking up realm SITEONE for User-Name = SITEONE\hhoffman [ntdomain] Found realm SITEONE [ntdomain] Adding Stripped-User-Name = hhoffman [ntdomain] Adding Realm = SITEONE [ntdomain] Authentication realm is LOCAL. ++[ntdomain] returns ok ++? if (!Realm) ? Evaluating !(Realm) - FALSE ++? if (!Realm) - FALSE ++? elsif (Realm == siteone.edu) ? Evaluating (Realm == siteone.edu) - FALSE ++? elsif (Realm == siteone.edu) - FALSE ++? elsif (Realm == SITEONE) ? Evaluating (Realm == SITEONE) - TRUE ++? elsif (Realm == SITEONE) - TRUE ++- entering elsif (Realm == SITEONE) {...} [siteone_ntlm_auth] expand: --username=%{Stripped-User-Name} - --username=hhoffman [siteone_ntlm_auth] expand: --password=%{User-Password} - --password=password Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 +++[siteone_ntlm_auth] returns ok ++- elsif (Realm == SITEONE) returns ok ++ ... skipping elsif for request 6: Preceding if was taken ++ ... skipping elsif for request 6: Preceding if was taken [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [SITEONE\\hhoffman] (from client localhost port 1812) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - SITEONE\hhoffman attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 14 to 127.0.0.1 port 38806 Waking up in 4.9 seconds. Cleaning up request 6 ID 14 with timestamp +864 Ready to process requests. On Tue, 2010-10-12 at 21:48 +0200, Alan DeKok wrote: Harry Hoffman wrote: I'm following along with the docs for Autz-Type in freeradius-2.1.8, specifically the section about selecting between multiple instances of a module. In 2.x, there are better ways to do this. See man unlang for conditionally calling a module. In users.conf I have: DEFAULT Realm == siteone.edu, Autz-Type := siteone_ldap, Auth-Type := siteone_ldap Please don't say users.conf. It's the users file. The issue is that 2.x has the inner-tunnel virtual server, and the documentation is left over from 1.1.x. The solution is instead to *not* use the users file. Instead, do: authorize { ... if (Realm == siteone.edu) { siteone_ldap } ... } This will *also* have it automatically set Auth-Type to siteone_ldap, too. That's simpler than the users file entry, and gives less room for mistakes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autz-Type examples and parse error
On 13/10/10 14:40, Harry Hoffman wrote: Hi Alan, Thanks for the help! This works well and lessens the confusion on my part. I do have one question. When using ldap as the authorization module the Auth-Type gets set properly to siteone_ldap. But if I try using That's a feature of the ldap module; if it is a named module it sets the Auth-Type to that name (otherwise using LDAP) ntlm_auth then the Auth-Type is not set even though ntlm_auth returns OK. The (confusingly named) ntlm_auth module is actually a copy of the exec module which checks PAP requests; it does not have that feature. You are also using it wrong, by running it in the authorize section. You want something like: authorize { if (Realm == ...) { ldap_siteone } elsif (Realm == ...) { update control { Auth-Type := PAP-ntdom } } } authenticate { Auth-Type ldap_siteone { ldap_siteone } Auth-Type PAP-ntdom { ntlm_auth } } I guess the other alternative is: authorize { if (Realm == ...) { ldap_siteone } elsif (Realm == ...) { ntlm_auth if (ok) { update control { Auth-Type := PAP-ntdom } } } } ...but maybe it's not really what you should be doing; authenticate should happen after authorize - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autz-Type examples and parse error
Hi Phil, Thanks for the pointers. I was attempting to use ntlm_auth to ensure the account actually existed for the authorization section. And then again in the authentication section to ensure the user name and password match. Is there a better way to check for authorization against AD? Cheers, Harry On Wed, 2010-10-13 at 14:56 +0100, Phil Mayers wrote: On 13/10/10 14:40, Harry Hoffman wrote: Hi Alan, Thanks for the help! This works well and lessens the confusion on my part. I do have one question. When using ldap as the authorization module the Auth-Type gets set properly to siteone_ldap. But if I try using That's a feature of the ldap module; if it is a named module it sets the Auth-Type to that name (otherwise using LDAP) ntlm_auth then the Auth-Type is not set even though ntlm_auth returns OK. The (confusingly named) ntlm_auth module is actually a copy of the exec module which checks PAP requests; it does not have that feature. You are also using it wrong, by running it in the authorize section. You want something like: authorize { if (Realm == ...) { ldap_siteone } elsif (Realm == ...) { update control { Auth-Type := PAP-ntdom } } } authenticate { Auth-Type ldap_siteone { ldap_siteone } Auth-Type PAP-ntdom { ntlm_auth } } I guess the other alternative is: authorize { if (Realm == ...) { ldap_siteone } elsif (Realm == ...) { ntlm_auth if (ok) { update control { Auth-Type := PAP-ntdom } } } } ...but maybe it's not really what you should be doing; authenticate should happen after authorize - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Autz-Type examples and parse error
On 13/10/10 15:17, Harry Hoffman wrote: Hi Phil, Thanks for the pointers. I was attempting to use ntlm_auth to ensure the account actually existed for the authorization section. And then again in the authentication section to ensure the user name and password match. But that's not what you're doing. You're actually issuing a password check request. And why check twice? If they don't exist, auth will fail in the authenticate {} section. Is there a better way to check for authorization against AD? It depends. What does authorization in this context mean? AD has an integrated LDAP server, which is moderately useful; if you configure FreeRadius you can - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autz-Type examples and parse error
Hi All, I'm following along with the docs for Autz-Type in freeradius-2.1.8, specifically the section about selecting between multiple instances of a module. In users.conf I have: DEFAULT Realm == siteone.edu, Autz-Type := siteone_ldap, Auth-Type := siteone_ldap In sites-enabled/default I have: authorize{ preprocess chap mscap suffix ntdomain Autz-Type siteone_ldap{ siteone_ldap } ... } authenticate{ ... Auth-Type siteone_ldap { siteone_ldap } } In proxy.conf I have: realm siteone.edu { authhost = LOCAL accthost = LOCAL } When I run radiusd -XC I get the following parse error: /etc/raddb/users[205]: Parse error (check) for entry DEFAULT: Unknown value siteone_ldap for attribute Autz-Type Errors reading /etc/raddb/users As far as I can tell I'm following the example verbatim. Can someone shed some light on why I'm getting the parse error? Below if full debug output: [r...@avocet raddb]# radiusd -XC FreeRADIUS Version 2.1.8, for host i386-redhat-linux-gnu, built on Jan 19 2010 at 18:23:59 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/siteone_ntlm_auth including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/siteone_ldap including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = radiusd group = radiusd allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/radius libdir = /usr/lib/freeradius radacctdir = /var/log/radius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/radiusd/radiusd.pid checkrad = /usr/sbin/checkrad
Re: Autz-Type examples and parse error
Harry Hoffman wrote: I'm following along with the docs for Autz-Type in freeradius-2.1.8, specifically the section about selecting between multiple instances of a module. In 2.x, there are better ways to do this. See man unlang for conditionally calling a module. In users.conf I have: DEFAULT Realm == siteone.edu, Autz-Type := siteone_ldap, Auth-Type := siteone_ldap Please don't say users.conf. It's the users file. The issue is that 2.x has the inner-tunnel virtual server, and the documentation is left over from 1.1.x. The solution is instead to *not* use the users file. Instead, do: authorize { ... if (Realm == siteone.edu) { siteone_ldap } ... } This will *also* have it automatically set Auth-Type to siteone_ldap, too. That's simpler than the users file entry, and gives less room for mistakes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html