mpd+freeradius+AD
Hi all! I have completed setup of mpd+freeradius+AD 2003. Now my users authenticating from Active Directory, if they are members of specific group. But I still have some questions: How to make a different timeouts for different groups in AD How to appoint special IP for special users How to restrict users to access only to defined IP in my network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Malfunctioning Nomadix
True. Nomadix developers told me ir is a problem of my RADIUS server. I think it is almost impossible because Radius server it is a 'silly' machine. If a NSE tells radius thatinsert a registes in radacct, radius server does and it is supposed NAS controls its ID's. It is true I can add a DB rule that verifies the existence of a ID unique. Sincerelly, I wrork with other NASes (Gemtek P-560, P-564, ISS2000, MTR amphora, MT...) and Nomadix ( AG2000 and 2100) cause some errors. Moreover, this device can not well implemented the SNMP MIB. Hi, I've seen this with our Nomadix USG and AG series devices as well - often the NSE will send requests multiple times, but I can never understand why. There are a few other bugs in the RADIUS code in Nomadix as well, for example I have never managed to get round robin working as I would expect (50% to each server). With our RADIUS setup the multiple stop or start packets do not cause any problems as the session ID is unique so a duplicate cannot be inserted into our accounting database. I am in discussions with developers at Nomadix at the moment about stability issues, and I have also mentioned these RADIUS issues to them as well - hopefully they will be fixed soon! Which devices and firmware versions do you have this problem with? _ Acepta el reto MSN Premium: Protección para tus hijos en internet. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninfantil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP(Active Directory) password AND groups not working together
On 6/26/06, duckeo <[EMAIL PROTECTED]> wrote: Some random garbage Okay solved a few issues but found a few more - realised I had a typo in the above post and corrected that. The thing issue remaining is still the handling of failures. The debug output seems to indicate a Auth-Type reject is present, but not matching it to the user file. I've tried simplfying things a bit: Users file: DEFAULT Auth-Type := LDAP, Ldap-Group == "RadiusWirelessVPN" Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, DEFAULT Auth-Type := Reject Reply-Message = "Access Rejected - Please check your username and password and try again." Debug output upon VALID user with incorrect password: rad_recv: Access-Request packet from host 10.200.148.49:4885, id=206, length=50 User-Name = "radiustest" User-Password = "radiustest1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for radiustest radius_xlat: '(&(sAMAccountname=radiustest)(objectClass=person))' radius_xlat: 'OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar, with filter (&(sAMAccountname=radiustest)(objectClass=person)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user radiustest authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar' radius_xlat: '(&(objectClass=group)(member=CN=Test\\, Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar, with filter (&(cn=RadiusWirelessVPN)(&(objectClass=group)(member=CN=Test\\, Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar))) rlm_ldap::ldap_groupcmp: User found in group RadiusWirelessVPN rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 219 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 2 rlm_ldap: - authenticate rlm_ldap: login attempt by "radiustest" with password "radiustest1" rlm_ldap: user DN: CN=Test\, Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar rlm_ldap: (re)connect to foo.bar.foo.bar:389, authentication 1 rlm_ldap: bind as CN=Test\, Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar/radiustest1 to foo.bar.foo.bar:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials rlm_ldap: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece modcall[authenticate]: module "ldap" returns reject for request 2 modcall: group Auth-Type returns reject for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 206 to 10.200.148.49:4885 Reply-Message = "80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 206 with timestamp 449f945f Nothing to do. Sleeping until we see a request. The thing that puzzles me is: rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 219 It matches a DEFAULT line in users, but doesn't send the reply? It continues to try to authenticate the user, and on the second time fails to bind (due to incorrect credentials) and doesn't match the line in Users: rlm_ldap: Bind failed with invalid credentials rlm_ldap: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece modcall[authenticate]: module "ldap" returns reject for request 2 modcall: group Auth-Type returns reject for request 2 auth: Failed to validate the user. And instead sends back via radius (in an Access-Reject packet): Reply-Message=80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece Any ideas on this one? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP(Active Directory) password AND groups not working together
duckeo wrote:
It matches a DEFAULT line in users, but doesn't send the reply? It
You're misunderstanding how FreeRadius works when processing the request
I think. Broadly, it does this (the behaviour can be changed - see
doc/configureable_failover for details):
1a. For each entry in "authorize":
execute module
if reject: send reject and stop
else go to next module
1b. If Autz-Type has been set, repeat 1a for the matching Autz-Type
subsection of authorize
2. Execute exactly one section from "authenticate" to actually process
the request
I'm not entirely certain, but I think you're expecting that your:
DEFAULT Auth-Type := Reject
Reply-Message = "some text"
...will be used if/when the request is rejected, which is not so. The
entries in the users file are processed in order until one matches. If
that entry matched, it would immediately reject the request.
There is not AFAIK an easy way to set the Reply-Message in a reject
generated by the ldap module. It can almost certainly be done - see
doc/configureable_failover - but why bother.
Also, you're setting Auth-Type. With the exception of setting it to
Reject and some specialised cases, you do not usually want to do that.
See copious comments about such in the list archives. In your case, your
users file need only read:
DEFAULT Ldap-Group == "RadiusWirelessVPN"
Service-Type = Framed,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
DEFAULT Auth-Type := Reject
Reply-Message = "You are not in the VPN group"
continues to try to authenticate the user, and on the second time
fails to bind (due to incorrect credentials) and doesn't match the
line in Users:
Yes, because FreeRadius is long done with matching the users file by
that point.
rlm_ldap: Bind failed with invalid credentials
rlm_ldap: 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 52e, vece
modcall[authenticate]: module "ldap" returns reject for request 2
modcall: group Auth-Type returns reject for request 2
auth: Failed to validate the user.
And instead sends back via radius (in an Access-Reject packet):
Reply-Message=80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 52e, vece
I agree returning this isn't terribly helpful (then again, it isn't a
terribly helpful error message from AD, but I've come to expect that).
If you really must change the text of this reply message, you could try
executing an attr_rewrite module in the post-auth section, REJECT
sub-section, like so (untested):
modules {
attr_rewrite aderrmsg {
attribute = Reply-Message
searchin = reply
searchfor = "^.*$"
replacewith = "password incorrect"
}
}
authorize {
..blah..
}
authenticate {
..blah..
}
post-auth {
Post-Auth-Type REJECT {
aderrmsg
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mpd+freeradius+AD
On Monday 26 June 2006 09:55, Егоров Сергей wrote: > Hi all! I have completed setup of mpd+freeradius+AD 2003. Now my users > authenticating from Active Directory, if they are members of specific > group. But I still have some questions: > > 1.How to make a different timeouts for different groups in AD > 2.How to appoint special IP for special users > 3.How to restrict users to access only to defined IP in my network You can use one of the three firewalls avaliable in the base system(ipfw, ipf and pf), however mpd comes with a small dictionary that uses ipfw(8) and you can easily define some filter bound to an interface (bound to a username) via a radius reply attribute, let filter be a pipe(for bandwidth control) or a packet filtering expression. So, if you want different rules for different usernames ipfw is the sensible packet filter to use. You can find the radius section of mpd, here: http://www.bretterklieber.com/mpd/doc4/mpd28.html Your questions don't clearly tell where your problem is. Active Directory? mpd? or FreeRADIUS? You should define them better in order to get help from the list. HTH a bit, Nikos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mpd+freeradius+AD
Thanks for reply.
>You can use one of the three firewalls avaliable in the base system(ipfw, >ipf
>and pf), however mpd comes with a small dictionary that uses ipfw(8) >and you
>can easily define some filter bound to an interface (bound to a >username) via
>a radius reply attribute, let filter be a pipe(for bandwidth >control) or a
>packet filtering expression.
That's fine for filtering vpn users access to local net. But how could I assign
specific IP for specific user in AD?
> Your questions don't clearly tell where your problem is.
>Active Directory? mpd? or FreeRADIUS? You should define
>them better in order to get help from the list.
My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN 2003
can do 1 and 2 in my questions, so I have to realize how to setup this in mpd +
freeradius. I already authenticate users from AD group:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=EXAMPLE+VPN_Allowed".
But I have several vpn groups and need to setup timeouts on each one. Also I
need to I assign specific IP for specific user in AD. Looks like FreeRadius
should respond for this.
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]
Sent: Monday, June 26, 2006 2:22 PM
To: freeradius-users@lists.freeradius.org
Cc: Егоров Сергей
Subject: Re: mpd+freeradius+AD
On Monday 26 June 2006 09:55, Егоров Сергей wrote:
> Hi all! I have completed setup of mpd+freeradius+AD 2003. Now my users
> authenticating from Active Directory, if they are members of specific
> group. But I still have some questions:
>
> 1.How to make a different timeouts for different groups in AD
> 2.How to appoint special IP for special users
> 3.How to restrict users to access only to defined IP in my network
You can use one of the three firewalls avaliable in the base system(ipfw, ipf
and pf), however mpd comes with a small dictionary that uses ipfw(8) and you
can easily define some filter bound to an interface (bound to a username) via a
radius reply attribute, let filter be a pipe(for bandwidth control) or a packet
filtering expression. So, if you want different rules for different usernames
ipfw is the sensible packet filter to use.
You can find the radius section of mpd, here:
http://www.bretterklieber.com/mpd/doc4/mpd28.html
Your questions don't clearly tell where your problem is.
Active Directory? mpd? or FreeRADIUS? You should define
them better in order to get help from the list.
HTH a bit, Nikos
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Parse error freeradius-1.1.1
Hi all, > > There is a few problems in the autoconf tests in version 1.1.1. > Please try 1.1.2. thanks for your tips. Now I managed to compile version 1.1.2. Here is the configure call I used: CFLAGS="$CFLAGS -DHEIMDAL_KRB5 -I/usr/include/heimdal" ./configure --with-snmp=no --includedir=/usr/include/heimdal Perhaps this will be useful for someone else. Regards Margit Meyer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mpd+freeradius+AD
On Monday 26 June 2006 14:04, Егоров Сергей wrote:
> Thanks for reply.
>
> >You can use one of the three firewalls avaliable in the base system(ipfw,
> > >ipf and pf), however mpd comes with a small dictionary that uses
> > ipfw(8) >and you can easily define some filter bound to an interface
> > (bound to a >username) via a radius reply attribute, let filter be a
> > pipe(for bandwidth >control) or a packet filtering expression.
>
> That's fine for filtering vpn users access to local net. But how could I
> assign specific IP for specific user in AD?
>
> > Your questions don't clearly tell where your problem is.
> >Active Directory? mpd? or FreeRADIUS? You should define
> >them better in order to get help from the list.
>
> My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN
> 2003 can do 1 and 2 in my questions, so I have to realize how to setup this
> in mpd + freeradius. I already authenticate users from AD group:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}
> --require-membership-of=EXAMPLE+VPN_Allowed".
>
> But I have several vpn groups and need to setup timeouts on each one.
setup timeout? This looks like Session-Timeout in radius dialect.
> Also
> I need to I assign specific IP for specific user in AD.
This is Framed-IP-Address in radius dialect.
> Looks like
> FreeRadius should respond for this.
Yes, you have to have basic understanding of what radius is. All of these
are very basic setup. I don't know how FreeRADIUS interacts with AD and
what info it should get from AD. So, try searching (or asking) for active
directory and FreeRADIUS. Keep the mpd part out of it, since it will
add unneeded complexity. Or perhaps start from setting up mpd and
FreeRADIUS. And then you could add AD.
A few suggestions, Nikos
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: So how do you suppress
So what 'rest of the documentation' should I look at. I guess I am not
seeing how I should know that the "auth_log" is a variant of the "detail"
module.
I am hoping i can get a better understanding of the documentations so I
would not have to ask questions in the future. So for this example I saw
the following:
1. Note in changelog about suppress
2. Section under 'detail' in radiusd.conf file with supress option
commented out.
So I now understand that I should be able to suppress information from any
of the detail sections by adding an additional suppress line under that
module subsection.
Is this something that I should have understood to start with or is there
documentation that I did not see and should read?
=
Date: Fri, 23 Jun 2006 11:11:21 -0400
From: "Alan DeKok" <[EMAIL PROTECTED]>
Subject: Re: Freeradius-Users Digest, Vol 14, Issue 95
To: FreeRadius users mailing list
Message-ID: <[EMAIL PROTECTED]>
Walter Reynolds <[EMAIL PROTECTED]> wrote:
Now the question is what example config file had the suppress stanza under
the detail auth_log section as well? Mine just listed it under the detail
section so I did not know I needed to put it in both places.
The rest of the documentation explains how the modules are set up.
The "auth_log" module is a variant of the "detail" module. Nothing is
different except the name, and the options you put into it's
configuration.
Alan DeKok.
==
Date: Thu, 22 Jun 2006 20:15:54 +0100
From: [EMAIL PROTECTED]
Subject: Re: So how do you suppress
To: FreeRadius users mailing list
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=us-ascii
Hi,
> So how do I actually suppress the user password from the detail log based
> on this? Looking at the rlm_detail file and I might as well be looking at
> a foreign language.
you can, for example, do somthing like this in radiusd.conf
# Write a detailed log of all accounting records received.
#
detail {
# Note that we do NOT use NAS-IP-Address here, as
# that attribute MAY BE from the originating NAS, and
# blah blah blah
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
suppress {
User-Password
}
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%
m%d
detailperm = 0600
suppress {
User-Password
}
}
its SO much easier if you read the example config files that come with the
new release as they often contain HOW to use a feature/option/argument :-)
alan
-- Walter Reynolds
University of Michigan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: So how do you suppress
Walter Reynolds <[EMAIL PROTECTED]> wrote: > So what 'rest of the documentation' should I look at. I guess I am not > seeing how I should know that the "auth_log" is a variant of the "detail" > module. The comments at the start of the "modules" section in radiusd.conf explain this. It event points to examples further on that demonstrate what it's talking about. > So I now understand that I should be able to suppress information from any > of the detail sections by adding an additional suppress line under that > module subsection. > > Is this something that I should have understood to start with or is there > documentation that I did not see and should read? Yes. It's been documented in the server for many years. Many configurations and examples included in the default conf files demonstrate this. See "detail", "radutmp", "always", for starters. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problems with Redundant Proxy config with FreeRadius 1.0.1-2.FC3.1 (Fedora Core 3)
Hi,
I would like FreeRadius to proxy requests to two radius servers.
Normally requests should go to a primary(kiezel1i), but if this is
unavailable it should send requests to a secondary(kiezel2i). I'm using
the config at the bottom of this message. If I shut the primary down,
FreeRadius never forwards the requests to the secondary.
Have I made a mistake in my config?
How does FreeRadius determine if the Primary is unavailable?
TIA
Shaun
proxy server {
synchronous = no
retry_delay = 5
retry_count = 3
dead_time = 180
default_fallback = no
post_proxy_authorize = yes
}
realm LOCAL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm NULL {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm erbi.nl {
type= radius
authost = LOCAL
acchost = LOCAL
}
realm zzl-ra.nl {
type= radius
authhost= kiezel1i:1812
accthost= kiezel1i:1812
secret = xxx
ldflag = fail_over
}
realm zzl-ra.nl {
type= radius
authhost= kiezel2i:1812
accthost= kiezel2i:1812
secret = xxx
ldflag = fail_over
}
Op dit e-mailbericht is een disclaimer van toepassing, welke te vinden is op
http://www.xb.nl/disclaimer.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Malfunctioning Nomadix
=?iso-8859-1?B?U2FudGlhZ28gQmFsYWd1ZXIgR2FyY+1h?= <[EMAIL PROTECTED]> wrote: > True. Nomadix developers told me ir is a problem of my RADIUS server. If the NAS sends multiple accounting packets when they had been ACK'd, then it's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re-write Attributes based upon NAS-Port-Type and LDAP authorization response
"Bill Carr" <[EMAIL PROTECTED]> wrote: > My pseudo-code thought process is outlined below (I'm not a coder, would > never profess to be; thus my post!): > > if NAS-Port-Type == "Wireless - IEEE 802.11" > > then > > Tunnel-Medium-Type == IEEE-802 > Tunnel-Type == VLAN > > if Filter-ID =~ "Internet-Restricted" That won't work. The NAS doesn't send Filter-Id. You've got to configure the server to send the correct response back. > My reading thus far has lead me to test my reply attribute requirements > from the "users" file and that works perfectly. If someone could point > me in a simple direction on how to strip/rewrite the attributes based on > the 'authorization' reply from LDAP, I'd be indebted. I don't see why that's necessary. Configuring the server to do something, then re-do what it already did as something else, is a bad idea. It's hard to configure, and prone to problems. Instead, configure the server to match on something, and send a reply. It's a lot easier. > I've seen examples of profiles stored on LDAP, but I'm curious how > I could choose a different profile based upon the "NAS-Port-Type" > received in the Access-Request You put the NAS-Port-Type into the LDAP query. That's hwy the queries are configurable. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fixed IP
Hi I am running Freeradius on Mac OS X. How do i assign fixed IP address to my wireless clients who are authenticating under Apple BAse stations?? Any suggestions welcome Regards & Thanks Mahesh S Kudva --- Robosoft Technologies - Come home to Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fixed IP
This is probably best achieved using DHCP rather than RADIUS. Once RADIUS has authenticated the user and the device is connected to the subnet, you'll normally obtain a dynamic IP address via DHCP. DHCP can be configured to give a fixed IP address to a particular MAC address. Rgds, Guy On 26/06/06, Mahesh S Kudva <[EMAIL PROTECTED]> wrote: Hi I am running Freeradius on Mac OS X. How do i assign fixed IP address to my wireless clients who are authenticating under Apple BAse stations?? Any suggestions welcome Regards & Thanks Mahesh S Kudva --- Robosoft Technologies - Come home to Technology - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
basic handling of multiple EAP-Methods by freerad
Hello, we wonder, how a freeradius can request a client to use a fixed EAP-Method: so its defined: Client starts with EAP-Start-Msg Radius wants EAP-Identity Client answers with Username or Hostname NOT using a special EAP-Method Radius now starts communiucating with the first EAP-Packet, using the special EAP-Method Question: you run in your wireless LAN many SSIDs: SSID1 shall use EAP-TTLS SSID2 shall use EAP-TLS(high-secured Net like personal Data) what logic starts the right inner-EAP-Protocol, cause neither the AccessPoint(WLAN-Controller), nor the radius server know, what Method to use, when there are many enabled. e.g. on a cisco-Radius, that runs with enabled PEAP and TLS, but there's no special attribute defined to control that thanks for reply, Rainer Brinkmann University-Clinicum Hamburg / Germany - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
