authentication with PEAP (EAP-MSCHAPV2) from WinXP
Hello, I use freeradius 0.9.3 on a Rehdat 9.0 box. I would like to authenticate from winXP (SP1 with all patches). My test user is in user file : criup Auth-Type := EAP, User-Password == mypass eap is configured in sections modules, authorize an authenticate ( default config). My wireless card is a cisco aironet 802.11 abg that connect an AP cisco aironet 1100. I searched all archives and documentations without success. my debug is : rad_recv: Access-Request packet from host 192.168.200.154:21733, id=96, length=162 User-Name = criup Framed-MTU = 1400 Called-Station-Id = 000f.34a6.5400 Calling-Station-Id = 0040.96a1.8d33 Message-Authenticator = 0xb560044f371b37da8a4f47bdea830755 EAP-Message = 0x020600060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 430 State = 0x94e83c4f0161a127188534bbf1e614020c7159403e7e8b6273e47bbe24009c81d1dc2e7f Service-Type = Framed-User NAS-IP-Address = 192.168.200.154 NAS-Identifier = ap-SBHX modcall: entering group authorize for request 9383 modcall[authorize]: module preprocess returns ok for request 9383 modcall[authorize]: module chap returns noop for request 9383 rlm_eap: EAP packet type notification id 6 length 6 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 9383 modcall[authorize]: module digest returns noop for request 9383 rlm_realm: No '@' in User-Name = criup, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 9383 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched criup at 216 modcall[authorize]: module files returns ok for request 9383 modcall[authorize]: module mschap returns noop for request 9383 modcall: group authorize returns updated for request 9383 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 9383 rlm_eap: EAP packet type notification id 6 length 6 rlm_eap: EAP Start not found rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request modcall[authenticate]: module eap returns invalid for request 9383 modcall: group authenticate returns invalid for request 9383 auth: Failed to validate the user. Login incorrect: [criup/no User-Password attribute] (from client ap-sbhx port 430 cli 0040.96a1.8d33) Any idea? Many thanks in advance. stephane BRANCHOUX Centre de Ressources Informatiques de l'Université de Perpignan. Systèmes/Réseaux mailto:[EMAIL PROTECTED] 04 68 66 21 24 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: authentication with PEAP (EAP-MSCHAPV2) from WinXP
What I can tell of this debug info is that freeradius can't find the password in the users file. It can work if you put the authencation type from your cisco aironet 1100 to CHAP and change in the users file the Auth-Type := Local. This works quite well for me. (only not with a cisco aironet 1100 ;-))\ Tim Bots -Oorspronkelijk bericht- Van: stephane BRANCHOUX [mailto:[EMAIL PROTECTED] Verzonden: Thursday, March 18, 2004 10:54 Aan: [EMAIL PROTECTED] Onderwerp: authentication with PEAP (EAP-MSCHAPV2) from WinXP Hello, I use freeradius 0.9.3 on a Rehdat 9.0 box. I would like to authenticate from winXP (SP1 with all patches). My test user is in user file : criup Auth-Type := EAP, User-Password == mypass eap is configured in sections modules, authorize an authenticate ( default config). My wireless card is a cisco aironet 802.11 abg that connect an AP cisco aironet 1100. I searched all archives and documentations without success. my debug is : rad_recv: Access-Request packet from host 192.168.200.154:21733, id=96, length=162 User-Name = criup Framed-MTU = 1400 Called-Station-Id = 000f.34a6.5400 Calling-Station-Id = 0040.96a1.8d33 Message-Authenticator = 0xb560044f371b37da8a4f47bdea830755 EAP-Message = 0x020600060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 430 State = 0x94e83c4f0161a127188534bbf1e614020c7159403e7e8b6273e47bbe24009c81d1dc2e7f Service-Type = Framed-User NAS-IP-Address = 192.168.200.154 NAS-Identifier = ap-SBHX modcall: entering group authorize for request 9383 modcall[authorize]: module preprocess returns ok for request 9383 modcall[authorize]: module chap returns noop for request 9383 rlm_eap: EAP packet type notification id 6 length 6 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 9383 modcall[authorize]: module digest returns noop for request 9383 rlm_realm: No '@' in User-Name = criup, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 9383 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched criup at 216 modcall[authorize]: module files returns ok for request 9383 modcall[authorize]: module mschap returns noop for request 9383 modcall: group authorize returns updated for request 9383 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 9383 rlm_eap: EAP packet type notification id 6 length 6 rlm_eap: EAP Start not found rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request modcall[authenticate]: module eap returns invalid for request 9383 modcall: group authenticate returns invalid for request 9383 auth: Failed to validate the user. Login incorrect: [criup/no User-Password attribute] (from client ap-sbhx port 430 cli 0040.96a1.8d33) Any idea? Many thanks in advance. stephane BRANCHOUX Centre de Ressources Informatiques de l'Université de Perpignan. Systèmes/Réseaux mailto:[EMAIL PROTECTED] 04 68 66 21 24 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
external program execution problem
Hi, I'm executing external script when accounting starts (in acct_users file, using Exec-Program-Wait). My script invokes another script as a background process and continues (self)execution. This works when executing in shell but when radius starts the script, radius waits until background script finishes! Why? Shouldn't radius wait only for script which was invoked directly by radius? Hope someone have any idea... Thanks. Lokotes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error Message and question
Hi Im my radius server gives Mysql check_error : 1054 received message after user authorization procc. What is it mean My usergroup table is empty !!! modcall: entering group authorize modcall[authorize]: module preprocess returns ok radius_xlat: 'dark' rlm_sql (sql): sql_set_user escaped user -- 'dark' radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'dark' ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 radius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'dark' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id' rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql_getvpdata: database query error radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'dark' ORDER BY id' radius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'dark' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id' rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql_getvpdata: database query error rlm_sql (sql): Released sql socket id: 4 And my second question is im exporting detail to mysql But i want to export detail to postgresql At same time with mysql i edit my Radius.conf . Like this # Include another file that has the SQL-related configuration. # This is another file solely because it tends to be big. # # The following configuration file is for use with MySQL. # # For Postgresql, use: ${confdir}/postgresql.conf # For MS-SQL, use: ${confdir}/mssql.conf # $INCLUDE ${confdir}/sql.conf $INCLUDE /usr/local/radiusd/etc/raddb/postgresql.conf # Write a 'utmp' style log file, of which users are currently # logged in, and where they've logged in from. # And postgresql.conf like this # Connect info server = localhost login = puser password = ppass # Database table configuration radius_db = pdata_db But in postgres radacct table is empty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using freeradius to authenticate users to a Windows 2000 AD
Here is the debug output: Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:38245, id=181, length=56 User-Name = test User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module eap returns noop for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by test with password test radius_xlat: '(sAMAccountName=test)' radius_xlat: 'o=notexist' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:389, authentication 0 rlm_ldap: bind as CN=freeradius,CN=Users,DC=my,DC=domain,DC=com/password to my.dc.com:389 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: performing search in o=notexist, with filter (sAMAccountName=test) request 2 done rlm_ldap: ldap_search() failed: Operations error ldap_release_conn: Release Id: 0 modcall[authenticate]: module ldap returns fail for request 0 modcall: group Auth-Type returns fail for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Albers Darren [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/17/2004 07:46 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD Oops, I forgot the link http://lists.cistron.nl/archives/freeradius-users/2004/03/frm00428.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albers Darren Sent: Wednesday, March 17, 2004 10:04 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Steve, Here is a link to that earlier post of mine, it might be more helpfull. Feel free to post your radiusd.conf and I will see if I can help. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve OBrien Sent: Wednesday, March 17, 2004 5:21 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Well it still seems not to be working. And I could not find your other article, I searched for radiusd.conf and your name and email with no luck. The output is not helpfull: Request: /usr/local/bin/radtest guest test localhost 1 testing123 Sending Access-Request of id 104 to 127.0.0.1:1812 User-Name = guest User-Password = test NAS-IP-Address = blade1.ci.bend.or.us NAS-Port = 1 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=104, length=20 Response: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:33317, id=104, length=57 User-Name = guest User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module eap returns noop for request 0 rlm_realm: No '@' in User-Name = guest, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request Steve O'Brien City of Bend Network Administrator [EMAIL PROTECTED] 541-322-6393 Albers Darren [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/17/2004 11:37 AM Please respond to [EMAIL PROTECTED] To '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD With the help of another individual on this list Richard Lucassen we were able to get it working to authenticate against either a group or against AD as a whole. To see an example I posted of just authenticated a user in general against AD look for another post by me with a sample radiusd.conf. Here is what Richard and I put together to get group auth working, this may not be the 100% correct way but
Re: How to Define Ldap-Group to use different instances of ldapmodule ?
Thank you I've tried out your suggestion and it works well and solves the problem ! thanks again Josh [EMAIL PROTECTED] 03/17/04 02:27pm I don't think you need to do that. Check out http://www.doris.cc/radius. You can have the same lookup, just the uid, but then check for a certain group based on the NAS-IP or NAS-Port-Type etc.. What you are doing is ooking for something like dialuphomeenabled=yes as well as the uid when authorizing the user now. snip Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
leap works, mschap does not
This message is for Alan DeKok. Thank you for responding to my email. I do not necessarily know how to implement mschap, it is actually (Secured password (EAP-MSCHAP v2) on the Orinoco gold card. The only thing I have set up in free radius that works is LEAP so far. Lets start from the beginning: I downloaded freeradius 0.9.3 and unzipped it. After installation, I went to /usr/local/etc/raddb/ and from there put in my changes in files to implement leap and mschap. In radiusd.conf I edited the default_eap_type to mschap (perhaps this does not matter now that it seems eap and chap are not the same after reading your email). In users I put in the user name and password. In clients, I entered the access point ip address and the key. This is all that I have done. If I set the default_eap_type in radiusd.conf to leap or md5, leap will work with a cisco client card. When trying to implement mschap, I am using an Orinoco gold card that offers to use peap then secured password (EAP-MSCHAP v2) within peap. This also appears to give me the opportunity to avoid using a certificate. The Orinoco gold card then offers me a logon using username and password and domain. I use the username and password only. This is when the radius server returns the message I will again send below. Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.16.30.165:1645, id=8, length=123 User-Name = Joe Framed-MTU = 1400 Called-Station-Id = 000d.bdda.b379 Calling-Station-Id = 0002.2d5e.d7a4 Message-Authenticator = 0x59f628e88f1fbb34059861e921e58a5d EAP-Message = 0x0202000d017363687565747a62 NAS-Port-Type = Virtual NAS-Port = 353 NAS-IP-Address = 172.16.30.165 NAS-Identifier = ap modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 rlm_eap: EAP packet type notification id 2 length 13 rlm_eap: EAP Start not found modcall[authorize]: module eap returns updated for request 0 rlm_realm: No '@' in User-Name = joe, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched joe at 74 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate for request 0 rlm_eap: EAP packet type notification id 2 length 13 rlm_eap: EAP Start not found rlm_eap: Configured EAP_TYPE is not supported rlm_eap: EAP Identity rlm_eap: Unsupported EAP_TYPE 1 modcall[authenticate]: module eap returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 8 to 172.16.30.165:1645 EAP-Message = 0x04020004 Message-Authenticator = 0x Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 8 with timestamp 40562aa3 Nothing to do. Sleeping until we see a request. Thanks, Brian
Re: leap works, mschap does not
Brian Schuetz [EMAIL PROTECTED] wrote: I do not necessarily know how to implement mschap, it is actually (Secured password (EAP-MSCHAP v2) on the Orinoco gold card. Version 0.9.3 does not support that. Only the latest CVS snapshot supports it. In radiusd.conf I edited the default_eap_type to mschap Which is wrong. It will never work. Nothing in the configuration files would lead you to believe that it would work. When trying to implement mschap, I am using an Orinoco gold card that offers to use peap then secured password (EAP-MSCHAP v2) within peap. Nothing in the configuration files leads anyone to believe that 0.9.3 implements EAP-MSCHAP-V2, or PEAP. Only the latest CVS snapshot has support for those protocols. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication with PEAP (EAP-MSCHAPV2) from WinXP
stephane BRANCHOUX [EMAIL PROTECTED] wrote: I use freeradius 0.9.3 on a Rehdat 9.0 box. That version does not support PEAP. Use the latest CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: external program execution problem
Lokotes [EMAIL PROTECTED] wrote: This works when executing in shell but when radius starts the script, radius waits until background script finishes! Why? Shouldn't radius wait only for script which was invoked directly by radius? Yes. That script isn't finished, because it's waiting for the SIGCHLD from the child. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any idea how to change attribute and not just the value?
I have been searching ideas the whole day by browsing the archives but I've not managed to solve my problem yet. The setup: freeradius-snapshot-20040317 connected to pgsql. We have different nas:es (Tigris, Ascend and Cisco to name some). Earlier the default DNS's was sent to the clients directly from the NAS-boxes. But later on we decided we wanted to set specific DNS entries for some users, otherwise the default DNS. The problem is as follows, To set the DNS on the tigris, we have to send the following attributes: Acc-Dns-Server-Pri = 10.0.0.1, Acc-Dns-Server-Sec = 10.0.0.2, But when we want to set them on the Ascend, this is the attributes we must send: Ascend-Client-Primary-DNS = 10.0.0.1, Ascend-Client-Secondary-DNS = 10.0.0.2, So what I've tried now that _almost_ works (in 3 cases of 4 :) ) is that I've configured some huntgroups: tigris NAS-IP-Address == 192.168.100.1 ascend NAS-IP-Address == 192.168.100.2 in the users file I've the following lines: DEFAULT Huntgroup-Name == tigris Port-Limit = 2, Fall-Through = 1, Login-Service = Rlogin, Login-Host = BESTHOST, Acc-Dns-Server-Pri = 10.0.0.1, Acc-Dns-Server-Sec = 10.0.0.2, Framed-Protocol = PPP, Framed-Routing = None DEFAULT Huntgroup-Name == ascend Port-Limit = 2, Fall-Through = 1, Login-Service = Rlogin, Login-Host = BESTHOST, Ascend-Client-Primary-DNS = 10.0.0.1, Ascend-Client-Secondary-DNS = 10.0.0.2, Framed-Protocol = PPP, Framed-Routing = None The users gets verified in the SQL-database and the idea is to add the attributes for the users we want to set specific DNS's for in the radreply table. So I've added the following to the radreply table: id | username | attribute | op | value +--+-++-- 1 | test | Ascend-Client-Primary-DNS | := | 10.0.0.3 2 | test | Ascend-Client-Secondary-DNS | := | 10.0.0.4 When I act as the ascend NAS I get the answer I want from the radius-server the the Pri/Sec DNS set to .3 and .4. But when I act as a Tigris and send a auth-req I get both the default Acc-Dns-Server entries and the Ascend-Client from the database. This is ofcourse as expected since this is how I configured the server, but not what I want in the end :) I've checked out the attr_rewrite module but from what I've read and what I understand in the config, I can only use to to rewrite the value of a specific attribute?! Is there a way for me to rewrite the attribute itself and not just the value? One way to solve it is to run two different sql-questions against radreply if the request is from a tigris or ascend. Then I can use a stored proc. in pgsql to rewrite the attributes and leave the values intact. Any ideas? Sincerely, Max! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help with FreeRADIUS, MySQL, and Attributes
Currently, we are running TCCRadius with MySQL. We have a standard dialup service as well as a FastWeb service (using SlipStream, www.slipstreamdata.com). I am testing FreeRADIUS right now but I need some help. I have moved the data from our old MySQL database for TCCRadius into the FreeRADIUS MySQL database (using this web page for help http://www.frontios.com/freeradius.html). Here's where I need help though: For authentication on TCCRadius we had username, password, user's full name (full name not for authentication), and an additional 'Attributes' field to tell if the user subscribed to our FastWeb service if someone subscribed to FastWeb, we would put slipstream-auth=true into the 'Attributes' field I am unsure on how to set this up for FreeRADIUS; it seems like it should be easy. Should I make two different groups (in radgroupcheck) for the users? one for regular dialup and one for fastweb and then in the usergroup table, tell if they are fastweb or regular dialup? The only problem is, when the SlipStream (fastweb) service asks for authentication, how to tell it true or false. Sorry if this is long and confusing, Please give some help if you can If you need any other information, just ask Thanks, Evan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Using freeradius to authenticate users to a Windows 2000 AD
Steve I've seen that Operations error before with FreeRadius AD LDAP access. It appears to happen consistently when LDAP is used as opposed to LDAPS (this is more pronounced with Windows Server 2003 DCs, but happens with Win2K as well). If you change the port to 636 (with start_tls=no), you will be using LDAPS to AD. In this case, the Operations error does not happen, and the AD lookup works well. You should note that you will need to import your Windows DC Root CA cert onto the FreeRadius box for this to work - this is pretty straightforward by using OpenSSL and OpenLDAP tools. Let me know if you need instructions to do this latter part. Also note (this would be happening now with LDAP or LDAPS), that depending on your base DN and the location of the users in your AD tree, the AD LDAP server could be returning referrals. These are also chased by FreeRadius LDAP interface, and could go to DCs that you did not configure in your radiusd.conf file, depending on the DNS resolution returned. You can see if this happening by setting ldap_debug = 0x0001. Tarun -Original Message- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Friday, 19 March 2004 2:35 AM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Here is the debug output: Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:38245, id=181, length=56 User-Name = test User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module eap returns noop for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by test with password test radius_xlat: '(sAMAccountName=test)' radius_xlat: 'o=notexist' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:389, authentication 0 rlm_ldap: bind as CN=freeradius,CN=Users,DC=my,DC=domain,DC=com/password to my.dc.com:389 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: performing search in o=notexist, with filter (sAMAccountName=test) request 2 done rlm_ldap: ldap_search() failed: Operations error ldap_release_conn: Release Id: 0 modcall[authenticate]: module ldap returns fail for request 0 modcall: group Auth-Type returns fail for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Albers Darren [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/17/2004 07:46 PM Please respond to [EMAIL PROTECTED] [EMAIL PROTECTED] cc SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD Oops, I forgot the link http://lists.cistron.nl/archives/freeradius-users/2004/03/frm00428.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albers Darren Sent: Wednesday, March 17, 2004 10:04 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Steve, Here is a link to that earlier post of mine, it might be more helpfull. Feel free to post your radiusd.conf and I will see if I can help. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve OBrien Sent: Wednesday, March 17, 2004 5:21 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Well it still seems not to be working. And I could not find your other article, I searched for radiusd.conf and your name and email with no luck. The output is not helpfull: Request: /usr/local/bin/radtest guest test localhost 1 testing123 Sending Access-Request of id 104 to 127.0.0.1:1812 User-Name = guest User-Password = test NAS-IP-Address = blade1.ci.bend.or.us NAS-Port = 1 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=104, length=20 Response: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:33317, id=104, length=57 User-Name = guest User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop
RE: Using freeradius to authenticate users to a Windows 2000 AD
Here is some debug, it looks like I am getting closer.. rad_recv: Access-Request packet from host 127.0.0.1:41885, id=196, length=56 User-Name = test User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 modcall[authorize]: module eap returns noop for request 8 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '((SamAccountName=test)(memberOf=CN=RemoteUser,CN=Users,DC=testdc,DC=win2K3,DC=bend))' radius_xlat: 'DC=testdc,dc=win2K3,dc=bend' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to 192.168.2.247:389, authentication 0 rlm_ldap: bind as CN=freeradius,CN=Users,DC=testdc,DC=win2K3,DC=bend/freerad1us to 192.168.2.247:389 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: performing search in DC=testdc,dc=win2K3,dc=bend, with filter ((SamAccountName=test)(memberOf=CN=RemoteUser,CN=Users,DC=testdc,DC=win2K3,DC=bend)) request 4 done request 6 done request 8 done request 2 done rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 8 modcall: group authorize returns fail for request 8 Finished request 8 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:41885, id=196, length=56 Dropping packet from client localhost:41885 - ID: 196 due to dead request 8 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 8 ID 196 with timestamp 405a24b3 Nothing to do. Sleeping until we see a request. Albers Darren [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/17/2004 07:04 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD Steve, Here is a link to that earlier post of mine, it might be more helpfull. Feel free to post your radiusd.conf and I will see if I can help. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve OBrien Sent: Wednesday, March 17, 2004 5:21 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Well it still seems not to be working. And I could not find your other article, I searched for radiusd.conf and your name and email with no luck. The output is not helpfull: Request: /usr/local/bin/radtest guest test localhost 1 testing123 Sending Access-Request of id 104 to 127.0.0.1:1812 User-Name = guest User-Password = test NAS-IP-Address = blade1.ci.bend.or.us NAS-Port = 1 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=104, length=20 Response: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:33317, id=104, length=57 User-Name = guest User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module eap returns noop for request 0 rlm_realm: No '@' in User-Name = guest, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request Steve O'Brien City of Bend Network Administrator [EMAIL PROTECTED] 541-322-6393 Albers Darren [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/17/2004 11:37 AM Please respond to [EMAIL PROTECTED] To '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD With the help of another individual on this list Richard Lucassen we were able to get it working to authenticate against either a group or against AD as a whole. To see an example I posted of just authenticated a user in general against AD look for another post by me with a sample radiusd.conf. Here is what Richard and I put together
RE: Using freeradius to authenticate users to a Windows 2000 AD
Thanks Tarun, Yes I would like instructions for importing my root CA into my freeradius box! Tarun Bhushan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/18/2004 03:06 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD Steve I've seen that Operations error before with FreeRadius AD LDAP access. It appears to happen consistently when LDAP is used as opposed to LDAPS (this is more pronounced with Windows Server 2003 DCs, but happens with Win2K as well). If you change the port to 636 (with start_tls=no), you will be using LDAPS to AD. In this case, the Operations error does not happen, and the AD lookup works well. You should note that you will need to import your Windows DC Root CA cert onto the FreeRadius box for this to work - this is pretty straightforward by using OpenSSL and OpenLDAP tools. Let me know if you need instructions to do this latter part. Also note (this would be happening now with LDAP or LDAPS), that depending on your base DN and the location of the users in your AD tree, the AD LDAP server could be returning referrals. These are also chased by FreeRadius LDAP interface, and could go to DCs that you did not configure in your radiusd.conf file, depending on the DNS resolution returned. You can see if this happening by setting ldap_debug = 0x0001. Tarun -Original Message- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Friday, 19 March 2004 2:35 AM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Here is the debug output: Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:38245, id=181, length=56 User-Name = test User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 1 modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module eap returns noop for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type LDAP modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by test with password test radius_xlat: '(sAMAccountName=test)' radius_xlat: 'o=notexist' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to cityhalldc1.ci.bend.or.us:389, authentication 0 rlm_ldap: bind as CN=freeradius,CN=Users,DC=my,DC=domain,DC=com/password to my.dc.com:389 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: performing search in o=notexist, with filter (sAMAccountName=test) request 2 done rlm_ldap: ldap_search() failed: Operations error ldap_release_conn: Release Id: 0 modcall[authenticate]: module ldap returns fail for request 0 modcall: group Auth-Type returns fail for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Albers Darren [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/17/2004 07:46 PM Please respond to [EMAIL PROTECTED] [EMAIL PROTECTED] cc SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD Oops, I forgot the link http://lists.cistron.nl/archives/freeradius-users/2004/03/frm00428.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albers Darren Sent: Wednesday, March 17, 2004 10:04 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Steve, Here is a link to that earlier post of mine, it might be more helpfull. Feel free to post your radiusd.conf and I will see if I can help. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve OBrien Sent: Wednesday, March 17, 2004 5:21 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Well it still seems not to be working. And I could not find your other article, I searched for radiusd.conf and your name and email with no luck. The output is not helpfull: Request: /usr/local/bin/radtest guest test localhost 1 testing123 Sending Access-Request of id 104 to 127.0.0.1:1812 User-Name = guest User-Password = test NAS-IP-Address = blade1.ci.bend.or.us NAS-Port = 1 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=104, length=20 Response: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:33317, id=104,
RE: Using freeradius to authenticate users to a Windows 2000 AD
Here is part of my config, I can't send it all because the listserver keeps bouncing it back... [snip] ldap { server = 192.168.2.247 identity = CN=freeradius,CN=Users,DC=testdc,DC=win2K3,DC=bend password = freerad1us basedn = DC=testdc,dc=win2K3,dc=bend filter = ((SamAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=RemoteUser,CN=Users,DC=testdc,DC=win 2K3,DC=bend)) #filter = (SamAccountName=%u) #access_attr = dialupAccess # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_debug = 0x0028 start_tls = no password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = yes } [snip] # Uncomment it if you want to use ldap for authentication Auth-Type LDAP { ldap } # # Allow EAP authentication. [snip]
RE: Using freeradius to authenticate users to a Windows 2000 AD
Steve The instructions are shown below. I see that you have included the group membership check into your filter. I have not done this - I have stuck with the separate group membership check shown in the default FreeRadius radiusd.conf - it does make an extra LDAP call, but it works. Just as a matter of interest, I also use configurable failover to three separate DCs - that works well too - you only need the root CA cert for LDAPS to all of them. Tarun Document = In order that LDAP clients can connect to Active Directory with TLS/SSL, we need to make some configuration changes. Export the Active Directory root CA certificate in DER format. This is usually done on a Windows domain controller running Certification Services. It has been observed that this server needs to have a name without underscores in it. Copy the exported certificate file to the /etc/openldap/demoCA directory - we will use this existing directory for our CA certificates. The file would normally end with .cer. We need to convert this file to PEM format. This is done with: shell openssl x509 -in rootdc.ca.cer -inform d -out rootdc.ca.pem We now need to modify the file /etc/openldap/ldap.conf to look like: = # @(#)$Id: ldap.conf,v 1.27 2003/01/17 21:37:12 lukeh Exp $## This is the configuration file for the LDAP nameservice# switch library and the LDAP PAM module.## PADL Software# http://www.padl.com## Your LDAP server. Must be resolvable without using LDAP.# Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on# whether your LDAP client library supports configurable# network or connect timeouts (see bind_timelimit).host rootdc.somecompany.com# The distinguished name of the search base.base dc=somecompany,dc=com# The LDAP version to use (defaults to 3# if supported by client library)#ldap_version 3# The distinguished name to bind to the server with.# Optional: default is to bind anonymously.#binddn uid=lookup,dc=somecompany,dc=com# The credentials to bind with. # Optional: default is no credential.#bindpw nothing# The distinguished name to bind to the server with# if the effective user ID is root. Password is# stored in /etc/ldap.secret (mode 600)#rootbinddn cn=manager,dc=padl,dc=com# The port.# Optional: default is 389.#port 389# The search scope.#scope sub#scope one#scope base# Search timelimit#timelimit 30# Bind timelimit#bind_timelimit 30# Idle timelimit; client will close connections# (nss_ldap only) if the server has not been contacted# for the number of seconds specified below.#idle_timelimit 3600# Active Directory SSL optionsssl on# OpenLDAP SSL options# Require and verify server certificate (yes/no)tls_checkpeer no# CA certificates for server certificate verificationTLS_CACERT /etc/openldap/demoCA/rootdc.ca.pem = Note the pointer to the CA PEM file we created earlier. It should be noted that the AD servers will need to have SSL (TLS) certificates generated/installed, and have the LDAP interface listening on the LDAPS port (636). As passwords and other authentication/authorisation data will be exchanged across the network, this channel should not be in clear-text. == End Document == -Original Message-From: Steve OBrien [mailto:[EMAIL PROTECTED]Sent: Friday, 19 March 2004 10:11 AMTo: [EMAIL PROTECTED]Subject: RE: Using freeradius to authenticate users to a Windows 2000 ADThanks Tarun, Yes I would like instructions for importing my root CA into my freeradius box! "Tarun Bhushan" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/18/2004 03:06 PM Please respond to[EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD SteveI've seen that "Operations error" before with FreeRadius AD LDAPaccess. It appears to happen consistently when LDAP is used as opposedto LDAPS (this is more pronounced with Windows Server 2003 DCs, buthappens with Win2K as well). If you change the port to 636 (withstart_tls=no), you will be using LDAPS to AD. In this case, the"Operations error" does not happen, and the AD lookup works well. Youshould note that you will need to import your Windows DC Root CA certonto the FreeRadius box for this to work - this is prettystraightforward by using OpenSSL and OpenLDAP tools. Let me know if
dialup-admin
Hi, I used to run Redhat 9 but I upgraded to Fedora Core 1 using yum. I run apache 2.0.4 and php 4.3.4 and postgresql 7.3.4 on Fedora Core 1. I run yum as a cron job to update my system every night. I am no more able to use dialup-admin again. Anytime I click on New User I get the error meesage Could not connect to SQL database. What could be wrong? Does dialup_admin work with php running as a module on apache. Thanks. Kafui Amedzekor. __ Do you Yahoo!? Yahoo! Mail - More reliable, more storage, less spam http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TTLS + LDAP authentication
Dear all, I'm a newbie to FR so please bear with me. I'm doing TTLS for wireless access. The wireless client is Alfa-Ariss SecureW2 with Netscape LDAP as backend (passwords are SHA encrypted). FR is CVS snapshot-20040308 running on RH9. I planned to retrieve the encrypted password from LDAP. During the final stage of the TTLS authentication use PAP module to encrypt the cleartext password from SecureW2 into SHA hash and compare with the retrieved one. But what actually happen is that FR indicate it found 'Auth-Type LDAP' during the final stage (request 5 in my debug) and proceed to use LDAP for user password authentication, since I didn't enable LDAP for authentication, it failed. If I enable LDAP for authentication, it works. A success bind to LDAP will authenticate the user. But cleartext password is used and I would rather avoid it. So how can I use PAP for password authentication or is it not possible? Below are the debug output, users file and radiusd.conf. Any input greatly appreciated. --- Debug output --- Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = sha1 Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no rlm_eap: Loaded and initialized type tls ttls: default_eap_type = md5 ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module:
RE: Using freeradius to authenticate users to a Windows 2000 AD
Now I am seeing this in the windows dc server log: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x I was using the CA certificate but that cannot be exported with the private key (AFAIK). My CA is a member server not a dc. [EMAIL PROTECTED] wrote: -To: [EMAIL PROTECTED]From: "Tarun Bhushan" [EMAIL PROTECTED]Sent by: [EMAIL PROTECTED]Date: 03/18/2004 06:57PMSubject: RE: Using freeradius to authenticate users to a Windows 2000 ADYes - I did mention this in an earlier mail. Relevant portion of radiusd.conf shown below. The combination of Port=636AND start_tls=no is important. In my experience, setting start_tls=yes does not work with AD or Novell eDirectory, but does work with OpenLDAP. ldap ldap1 { server = "somedc.somecompany.com" port = 636 identity = "cn=lookup,ou=users,dc=somecompany,dc=com" password = Password basedn = "dc=somecompany,dc=com" filter = "(cn=%U)" # set this to 'yes' to use TLS encrypted connections # to the LDAP database. start_tls = no #tls_mode = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 10 groupname_attribute = cn groupmembership_filter = "((objectClass=Group)(member=%{Ldap-UserDn}))" timeout = 10 timelimit = 10 net_timeout = 5 #ldap_debug = 0x #ldap_debug = 0x0001 compare_check_items = yes access_attr_used_for_allow = no } Tarun -Original Message- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Friday, 19 March 2004 11:59 AM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Do you need to modify the radiusd.conf file to use ldaps? Steve O'Brien City of Bend Network Administrator [EMAIL PROTECTED] 541-322-6393 "Tarun Bhushan" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/18/2004 04:28 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD Steve The instructions are shown below. I see that you have included the group membership check into your filter. I have not done this - I have stuck with the separate group membership check shown in the default FreeRadius radiusd.conf - it does make an extra LDAP call, but it works. Just as a matter of interest, I also use configurable failover to three separate DCs - that works well too - you only need the root CA cert for LDAPS to all of them. Tarun Document = In order that LDAP clients can connect to Active Directory with TLS/SSL, we need to make some configuration changes. Export the Active Directory root CA certificate in DER format. This is usually done on a Windows domain controller running Certification Services. It has been observed that this server needs to have a name without underscores in it. Copy the exported certificate file to the /etc/openldap/demoCA directory - we will use this existing directory for our CA certificates. The file would normally end with .cer. We need to convert this file to PEM format. This is done with: shell openssl x509 -in rootdc.ca.cer -inform d -out rootdc.ca.pem We now need to modify the file /etc/openldap/ldap.conf to look like: = # @(#)$Id: ldap.conf,v 1.27 2003/01/17 21:37:12 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # # PADL Software # http://www.padl.com # # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). host rootdc.somecompany.com # The distinguished name of the search base. base dc=somecompany,dc=com # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn uid=lookup,dc=somecompany,dc=com # The credentials to bind with. # Optional: default is no credential. #bindpw nothing # The distinguished name to bind to the server
RE: Using freeradius to authenticate users to a Windows 2000 AD
Steve I don't know the Windows side well - you might need to do some Googling to find out what this error means. Sorry. Also, you definitely do not export the private key. That remains on the CA. Regards Tarun -Original Message- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Friday, 19 March 2004 5:51 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Now I am seeing this in the windows dc server log: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x I was using the CA certificate but that cannot be exported with the private key (AFAIK). My CA is a member server not a dc. [EMAIL PROTECTED] wrote: - To: [EMAIL PROTECTED] From: Tarun Bhushan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] Date: 03/18/2004 06:57PM Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Yes - I did mention this in an earlier mail. Relevant portion of radiusd.conf shown below. The combination of Port=636 AND start_tls=no is important. In my experience, setting start_tls=yes does not work with AD or Novell eDirectory, but does work with OpenLDAP. ldap ldap1 { server = somedc.somecompany.com port = 636 identity = cn=lookup,ou=users,dc=somecompany,dc=com password = Password basedn = dc=somecompany,dc=com filter = (cn=%U) # set this to 'yes' to use TLS encrypted connections # to the LDAP database. start_tls = no #tls_mode = no # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap # ldap_cache_timeout = 120 # ldap_cache_size = 0 ldap_connections_number = 10 groupname_attribute = cn groupmembership_filter = ((objectClass=Group)(member=%{Ldap-UserDn})) timeout = 10 timelimit = 10 net_timeout = 5 #ldap_debug = 0x #ldap_debug = 0x0001 compare_check_items = yes access_attr_used_for_allow = no } Tarun -Original Message- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Friday, 19 March 2004 11:59 AM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD Do you need to modify the radiusd.conf file to use ldaps? Steve O'Brien City of Bend Network Administrator [EMAIL PROTECTED] 541-322-6393 Tarun Bhushan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/18/2004 04:28 PM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject RE: Using freeradius to authenticate users to a Windows 2000 AD Steve The instructions are shown below. I see that you have included the group membership check into your filter. I have not done this - I have stuck with the separate group membership check shown in the default FreeRadius radiusd.conf - it does make an extra LDAP call, but it works. Just as a matter of interest, I also use configurable failover to three separate DCs - that works well too - you only need the root CA cert for LDAPS to all of them. Tarun Document = In order that LDAP clients can connect to Active Directory with TLS/SSL, we need to make some configuration changes. Export the Active Directory root CA certificate in DER format. This is usually done on a Windows domain controller running Certification Services. It has been observed that this server needs to have a name without underscores in it. Copy the exported certificate file to the /etc/openldap/demoCA directory - we will use this existing directory for our CA certificates. The file would normally end with .cer. We need to convert this file to PEM format. This is done with: shell openssl x509 -in rootdc.ca.cer -inform d -out rootdc.ca.pem We now need to modify the file /etc/openldap/ldap.conf to look like: = # @(#)$Id: ldap.conf,v 1.27 2003/01/17 21:37:12 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # # PADL Software # http://www.padl.com # # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). host rootdc.somecompany.com # The distinguished name of the search base. base dc=somecompany,dc=com # The LDAP
segmentation fault
Hi there, I downloaded freeradius-snapshot-20040317.tar.gz and compiled against openssl-0.9.7d. It produces segmentation fault when I run for TLS authentication. Here is the part of the message of derived from core dump in gdb: #0 0x40219015 in rad_mangle (data=0x8142e80, request=0x814a838) at rlm_preprocess.c:186 186 request_pairs = request-packet-vps; (gdb) where #0 0x40219015 in rad_mangle (data=0x8142e80, request=0x814a838) at rlm_preprocess.c:186 #1 0x402196f6 in preprocess_authorize (instance=0x8142e80, request=0x814a838) at rlm_preprocess.c:570 #2 0x08054cde in module_post_auth () #3 0x08054e96 in modcall () #4 0x08054d63 in module_post_auth () #5 0x08054e45 in modcall () #6 0x08054a30 in module_authorize () #7 0x08051f33 in rad_authenticate () #8 0x0804d4c9 in rad_respond () #9 0x0805675c in radius_xlat () #10 0x40074fef in pthread_start_thread () from /lib/i686/libpthread.so.0 Regards, Ang Way Chuang = Thanks. Regards, Ang Way Chuang Namo Amitabha ___ Yahoo! Messenger - Communicate instantly...Ping your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html