FreeRadius + AD + Realms
Hello everyone!
I'm new to FreeRadius, so please bear with me. :)
Goal: Make FreeRadius look-up a user in ActiveDirectory if he has
mydomain.com domain.
Used method: EAP/TTLS (PAP in the tunnel)
This is how I've done it, but it doesn't give the wanted results, so please
explain a bit. :)
(it doesn't seem to load the local_ad virtual server configuration, which is I
placed in the sites-enabled directory, it seems to just carry on executing the
default server)
parts from proxy.conf:
proxy server {
default_fallback = no
}
home_server localhost_ad {
type = auth
virtual_server = local_ad
}
home_server_pool active_directory {
type = fail-over
virtual_server = local_ad
home_server = localhost_ad
}
realm mydomain.com {
auth_pool = active_directory
}
And the output:
rad_recv: Access-Request packet from host 192.168.0.101 port 1812, id=8,
length=138
NAS-IP-Address = 192.168.0.101
NAS-Port-Type = Async
User-Name = u...@mydomain.com
Service-Type = Framed-User
Framed-MTU = 1500
Calling-Station-Id = 00-11-22-33-44-55
EAP-Message =
0x021d016a73691d756e646363406c73732d6e65542e6c73732e6872
Message-Authenticator = 0x10017179767a5ab6718168e8399c8993
+- entering group authorize
++[preprocess] returns ok
rlm_realm: Looking up realm mydomain.com for User-Name =
u...@mydomain.com
rlm_realm: Found realm mydomain.com
rlm_realm: Adding Stripped-User-Name = user
rlm_realm: Adding Realm = mydomain.com
rlm_realm: Proxying request from user user to realm mydomain.com
rlm_realm: Preparing to proxy authentication request to realm mydomain.com
++[suffix] returns updated
rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing
EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
There was no response configured: rejecting request 0
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - u...@mydomain.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Thanks in advance!
_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expanding Suffix or Realm attributes
Rob Turner wrote: The regex realm would work if I could use the Suffix or Realm attribute from something like the check or control list rather than ~.\2a\5c.\2a\5c.\2a$ This was fixed in 2.1.9. See the changelog on www.freeradius.org. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Netmask HowTo
Greets, I have the following setup: freeradius 2.0.5 with sqlippool. Now my question: How can I setup radius to get it's netmask from sqlippool based on the pool name. For instance. I have two pools named pool1 and pool2 in mysql. Now on pool1 I want to have the netmask 255.255.255.128 and on pool2 I want to have netmask 255.255.255.0. How do I achieve that? I have tried the net and some trial and error runs, but got mostly errors. :-) THX in advance... __ Information from ESET Mail Security, version of virus signature database 5238 (20100629) __ The message was checked by ESET Mail Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote:
I'm new to FreeRadius, so please bear with me. :)
Good questions are a very good start.
Goal: Make FreeRadius look-up a user in ActiveDirectory if he has
mydomain.com domain.
Used method: EAP/TTLS (PAP in the tunnel)
This is how I've done it, but it doesn't give the wanted results, so please
explain a bit. :)
(it doesn't seem to load the local_ad virtual server configuration, which is
I placed in the sites-enabled directory, it seems to just carry on executing
the default server)
If you read the start of the debug output, it *should* show it loading
the local_ad virtual server. The output below shows it not *proxying*
the request to the local_ad virtual server.
realm mydomain.com {
auth_pool = active_directory
You'll need a line:
nostrip
To avoid EAP identity issues.
...
rlm_realm: Preparing to proxy authentication request to realm
mydomain.com
++[suffix] returns updated
rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing
EAP.
++[eap] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
There was no response configured: rejecting request 0
i.e. it doesn't proxy it.
This *does* work in 2.1.9. So which version are you running?
And why are you creating this complicated configuration? The
inner-tunnel virtual server is set up *precisely* for this kind of
authentication. You do EAP in the default server. Then, the
inner-tunnel server gets the PAP password, and you can configure it to
look the user up in AD there.
In fact, you should only need to do the following:
* start with the default config
* uncomment ldap everywhere in raddb/sites-enabled/inner-tunnel
* configure raddb/modules/ldap to point to AD
* ensure you have the correct certificates for TTLS
* TTLS + PAP *should* work
The default configuration is designed to work in the widest possible
set of circumstances, with a minimal set of changes required to add any
common functionality.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: originate-coa virtual server
Ben Wiechman wrote:
The originate-coa virtual server includes a switch condition using the
Response-Packet-Type attribute in the post-proxy section. However this
attribute is not populated for responses to coa or disconnect requests. The
Packet-Type attribute is populated in the proxy-reply list (which is perhaps
to be inferred from the comments in the originate-coa file).
Yes.
Is the lack of information in the Response-Packet-Type attribute expected in
a response to a coa or disconnect request and the switch should be updated
to use %{proxy-reply:Packet-Type} (this does work) or should the
Response-Packet-Type attribute be populated for a response to a coa or
disconnect request?
No. It's a bug. The reference should be to %{proxy-reply:Packet-Type}.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: originate-coa virtual server
Is the lack of information in the Response-Packet-Type attribute
expected in
a response to a coa or disconnect request and the switch should be
updated
to use %{proxy-reply:Packet-Type} (this does work) or should the
Response-Packet-Type attribute be populated for a response to a coa
or
disconnect request?
No. It's a bug. The reference should be to %{proxy-reply:Packet-
Type}.
Thanks
Ben
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Detail accounting by REalm
Dears,
I have a Proxy radius which send authentication and accounting to other
radius.
I would like to have a copy of these accounting data locally. This is
already working in the detail file.
Now I am trying to make a file by realm proxyied.
I have try this and works but I need to specify the exact realm.
Is it a way to configure a expression here?
I would like to make an expression to replace abc.be and abcnet.be so only
one line is nacessary (like realm == ~abc$) ?
accounting {
detail
if ((realm == abc.be)||(realm == abcnet.be)) {
WriteABCAccounting
WriteLOCALAccounting
}
if (realm == xyz.be) {
WriteXYZaccounting
WriteLOCALAccounting
}
http://k-village/team_members/who_s_who/kpeople01.asp?login=ebellier Eric
Bellière
Operation Integration Expert
ITNO/ISO/ISIO/LSS
Mobistar NV/SA
Avenue Jean Mermoz 32
6041 Gosselies
cid:image003.jpg@01C961E5.77656AB0
Tel: +32 (0)2 745 7997
GSM: +32(0)495 55 1343
image001.jpgimage002.jpg
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed disabling Core Dumps on RHEL - SELinux Updates
A note for those that may run into this as well.
When updating FR to 2.1.9 on RHEL/CentOS with SELinux enabled FreeRADIUS
would log the following when it was started:
Wed Jun 2 16:19:57 2010 : Error: Failed disabling core dumps: Permission
denied
To resolve I had to install the following modifications to the default
SELinux policy
# cat freeradius2.te
module freeradius2 1.0;
require {
type radiusd_t;
class process setrlimit;
}
#= radiusd_t ==
allow radiusd_t self:process setrlimit;
This allowed the daemon to properly disable core dumps.
Ben Wiechman
Wisper High Speed Internet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbee question
Maria Sanchez wrote: For example an Admin role that indicates to an application what are the actions the user can perform. OK. Is this role for use by a real client, i.e. *not* radclient? Yes. I have an application that authenticates the user with Radius and then gets the set of roles assigned to this user. With the set of roles the application knows what the user can or cannot do. If you're writing your own client, just return the name of the role in the Filter-Id attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail accounting by REalm
BELLIERE Eric wrote: Now I am trying to make a file by realm proxyied. You can use the Realm name in the detail filename. That's why the filename is configurable in the detail module. I have try this and works but I need to specify the exact realm. Is it a way to configure a expression here? $ man unlang I would like to make an expression to replace abc.be and abcnet.be so only one line is nacessary (like realm == ~abc$) ? See the above man page. You can use a regex. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed disabling Core Dumps on RHEL - SELinux Updates
Ben Wiechman wrote: A note for those that may run into this as well. When updating FR to 2.1.9 on RHEL/CentOS with SELinux enabled FreeRADIUS would log the following when it was started: Wed Jun 2 16:19:57 2010 : Error: Failed disabling core dumps: Permission denied To resolve I had to install the following modifications to the default SELinux policy ... This allowed the daemon to properly disable core dumps. Hmm security policies that prevent systems from increasing the security of the system. Nice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed disabling Core Dumps on RHEL - SELinux Updates
On 06/30/2010 10:29 AM, Ben Wiechman wrote: A note for those that may run into this as well. When updating FR to 2.1.9 on RHEL/CentOS with SELinux enabled FreeRADIUS would log the following when it was started: Wed Jun 2 16:19:57 2010 : Error: Failed disabling core dumps: Permission denied Please file a bugzilla against selinux policy. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failed disabling Core Dumps on RHEL - SELinux Updates
Despite the fact that this was against 2.1.9, not the freeradius2 rpm that is available with RHEL? Ben -Original Message- From: freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of John Dennis Sent: Wednesday, June 30, 2010 9:56 AM To: FreeRadius users mailing list Subject: Re: Failed disabling Core Dumps on RHEL - SELinux Updates On 06/30/2010 10:29 AM, Ben Wiechman wrote: A note for those that may run into this as well. When updating FR to 2.1.9 on RHEL/CentOS with SELinux enabled FreeRADIUS would log the following when it was started: Wed Jun 2 16:19:57 2010 : Error: Failed disabling core dumps: Permission denied Please file a bugzilla against selinux policy. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail accounting by REalm
Hi, I would like to make an expression to replace abc.be and abcnet.be so only one line is nacessary (like realm == ~abc$) ? regex stuff? (realm =~ /~abc[a-zA-Z_]+?\.be/i) ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed disabling Core Dumps on RHEL - SELinux Updates
On 06/30/2010 03:06 PM, Ben Wiechman wrote: Despite the fact that this was against 2.1.9, not the freeradius2 rpm that is available with RHEL? Yes. It's a policy problem and it needs to get fixed. We'll eventually ship 2.1.9 or the core dump fix back ported to an earlier version, it would be nice to know the SELinux policy would just support it when we do ship it. For those like yourself who built 2.1.9 wouldn't it be nice to know the SELinux policy supports it? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed disabling Core Dumps on RHEL - SELinux Updates
Hi, Yes. It's a policy problem and it needs to get fixed. We'll eventually ship 2.1.9 or the core dump fix back ported to an earlier version, it would be nice to know the SELinux policy would just support it when we do ship it. For those like yourself who built 2.1.9 wouldn't it be nice to know the SELinux policy supports it? those that install things from source usually have to fight SELinux all over the place ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth fails for none domain
Hi,
We are using freeRADIUS talk to multiple ADs integration. I updated my
freeRADIUS from 1.1.6 to 2.1.9 recently.
xjtu is our default domain, for users under this domain will only use
username to authenticate to RADIUS. With 1.1.6, it will get xjtu as domain;
But with 2.1.9, it will not, please see the debug info below.
It is the related part in configuration file:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain:-xjtu} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
It is debug info:
[mschap] Told to do MS-CHAPv2 for hhe with NT-Password
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: --domain=%{mschap:NT-Domain} - --domain=
[mschap] expand: --username=%{mschap:User-Name:-None} - --username=hhe
[mschap] mschap2: a6
[mschap] expand: --challenge=%{mschap:Challenge:-00} -
--challenge=ddca17e9bfdaf05a
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=741e305efc7bce1071682eee0b3c37142b184b9544242304
John
# -*- text -*-
#
# $Id$
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and MS-CHAPv2 authentication.
# It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
#use_mppe = no
#require_encryption = yes
#require_strong = yes
with_ntdomain_hack = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain:-xjtu} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
