FreeRadius + AD + Realms
Hello everyone! I'm new to FreeRadius, so please bear with me. :) Goal: Make FreeRadius look-up a user in ActiveDirectory if he has mydomain.com domain. Used method: EAP/TTLS (PAP in the tunnel) This is how I've done it, but it doesn't give the wanted results, so please explain a bit. :) (it doesn't seem to load the local_ad virtual server configuration, which is I placed in the sites-enabled directory, it seems to just carry on executing the default server) parts from proxy.conf: proxy server { default_fallback = no } home_server localhost_ad { type = auth virtual_server = local_ad } home_server_pool active_directory { type = fail-over virtual_server = local_ad home_server = localhost_ad } realm mydomain.com { auth_pool = active_directory } And the output: rad_recv: Access-Request packet from host 192.168.0.101 port 1812, id=8, length=138 NAS-IP-Address = 192.168.0.101 NAS-Port-Type = Async User-Name = u...@mydomain.com Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = 00-11-22-33-44-55 EAP-Message = 0x021d016a73691d756e646363406c73732d6e65542e6c73732e6872 Message-Authenticator = 0x10017179767a5ab6718168e8399c8993 +- entering group authorize ++[preprocess] returns ok rlm_realm: Looking up realm mydomain.com for User-Name = u...@mydomain.com rlm_realm: Found realm mydomain.com rlm_realm: Adding Stripped-User-Name = user rlm_realm: Adding Realm = mydomain.com rlm_realm: Proxying request from user user to realm mydomain.com rlm_realm: Preparing to proxy authentication request to realm mydomain.com ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop There was no response configured: rejecting request 0 Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - u...@mydomain.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Thanks in advance! _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Expanding Suffix or Realm attributes
Rob Turner wrote: The regex realm would work if I could use the Suffix or Realm attribute from something like the check or control list rather than ~.\2a\5c.\2a\5c.\2a$ This was fixed in 2.1.9. See the changelog on www.freeradius.org. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Netmask HowTo
Greets, I have the following setup: freeradius 2.0.5 with sqlippool. Now my question: How can I setup radius to get it's netmask from sqlippool based on the pool name. For instance. I have two pools named pool1 and pool2 in mysql. Now on pool1 I want to have the netmask 255.255.255.128 and on pool2 I want to have netmask 255.255.255.0. How do I achieve that? I have tried the net and some trial and error runs, but got mostly errors. :-) THX in advance... __ Information from ESET Mail Security, version of virus signature database 5238 (20100629) __ The message was checked by ESET Mail Security. http://www.eset.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: I'm new to FreeRadius, so please bear with me. :) Good questions are a very good start. Goal: Make FreeRadius look-up a user in ActiveDirectory if he has mydomain.com domain. Used method: EAP/TTLS (PAP in the tunnel) This is how I've done it, but it doesn't give the wanted results, so please explain a bit. :) (it doesn't seem to load the local_ad virtual server configuration, which is I placed in the sites-enabled directory, it seems to just carry on executing the default server) If you read the start of the debug output, it *should* show it loading the local_ad virtual server. The output below shows it not *proxying* the request to the local_ad virtual server. realm mydomain.com { auth_pool = active_directory You'll need a line: nostrip To avoid EAP identity issues. ... rlm_realm: Preparing to proxy authentication request to realm mydomain.com ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop There was no response configured: rejecting request 0 i.e. it doesn't proxy it. This *does* work in 2.1.9. So which version are you running? And why are you creating this complicated configuration? The inner-tunnel virtual server is set up *precisely* for this kind of authentication. You do EAP in the default server. Then, the inner-tunnel server gets the PAP password, and you can configure it to look the user up in AD there. In fact, you should only need to do the following: * start with the default config * uncomment ldap everywhere in raddb/sites-enabled/inner-tunnel * configure raddb/modules/ldap to point to AD * ensure you have the correct certificates for TTLS * TTLS + PAP *should* work The default configuration is designed to work in the widest possible set of circumstances, with a minimal set of changes required to add any common functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: originate-coa virtual server
Ben Wiechman wrote: The originate-coa virtual server includes a switch condition using the Response-Packet-Type attribute in the post-proxy section. However this attribute is not populated for responses to coa or disconnect requests. The Packet-Type attribute is populated in the proxy-reply list (which is perhaps to be inferred from the comments in the originate-coa file). Yes. Is the lack of information in the Response-Packet-Type attribute expected in a response to a coa or disconnect request and the switch should be updated to use %{proxy-reply:Packet-Type} (this does work) or should the Response-Packet-Type attribute be populated for a response to a coa or disconnect request? No. It's a bug. The reference should be to %{proxy-reply:Packet-Type}. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: originate-coa virtual server
Is the lack of information in the Response-Packet-Type attribute expected in a response to a coa or disconnect request and the switch should be updated to use %{proxy-reply:Packet-Type} (this does work) or should the Response-Packet-Type attribute be populated for a response to a coa or disconnect request? No. It's a bug. The reference should be to %{proxy-reply:Packet- Type}. Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Detail accounting by REalm
Dears, I have a Proxy radius which send authentication and accounting to other radius. I would like to have a copy of these accounting data locally. This is already working in the detail file. Now I am trying to make a file by realm proxyied. I have try this and works but I need to specify the exact realm. Is it a way to configure a expression here? I would like to make an expression to replace abc.be and abcnet.be so only one line is nacessary (like realm == ~abc$) ? accounting { detail if ((realm == abc.be)||(realm == abcnet.be)) { WriteABCAccounting WriteLOCALAccounting } if (realm == xyz.be) { WriteXYZaccounting WriteLOCALAccounting } http://k-village/team_members/who_s_who/kpeople01.asp?login=ebellier Eric Bellière Operation Integration Expert ITNO/ISO/ISIO/LSS Mobistar NV/SA Avenue Jean Mermoz 32 6041 Gosselies cid:image003.jpg@01C961E5.77656AB0 Tel: +32 (0)2 745 7997 GSM: +32(0)495 55 1343 image001.jpgimage002.jpg smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Failed disabling Core Dumps on RHEL - SELinux Updates
A note for those that may run into this as well. When updating FR to 2.1.9 on RHEL/CentOS with SELinux enabled FreeRADIUS would log the following when it was started: Wed Jun 2 16:19:57 2010 : Error: Failed disabling core dumps: Permission denied To resolve I had to install the following modifications to the default SELinux policy # cat freeradius2.te module freeradius2 1.0; require { type radiusd_t; class process setrlimit; } #= radiusd_t == allow radiusd_t self:process setrlimit; This allowed the daemon to properly disable core dumps. Ben Wiechman Wisper High Speed Internet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbee question
Maria Sanchez wrote: For example an Admin role that indicates to an application what are the actions the user can perform. OK. Is this role for use by a real client, i.e. *not* radclient? Yes. I have an application that authenticates the user with Radius and then gets the set of roles assigned to this user. With the set of roles the application knows what the user can or cannot do. If you're writing your own client, just return the name of the role in the Filter-Id attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail accounting by REalm
BELLIERE Eric wrote: Now I am trying to make a file by realm proxyied. You can use the Realm name in the detail filename. That's why the filename is configurable in the detail module. I have try this and works but I need to specify the exact realm. Is it a way to configure a expression here? $ man unlang I would like to make an expression to replace abc.be and abcnet.be so only one line is nacessary (like realm == ~abc$) ? See the above man page. You can use a regex. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed disabling Core Dumps on RHEL - SELinux Updates
Ben Wiechman wrote: A note for those that may run into this as well. When updating FR to 2.1.9 on RHEL/CentOS with SELinux enabled FreeRADIUS would log the following when it was started: Wed Jun 2 16:19:57 2010 : Error: Failed disabling core dumps: Permission denied To resolve I had to install the following modifications to the default SELinux policy ... This allowed the daemon to properly disable core dumps. Hmm security policies that prevent systems from increasing the security of the system. Nice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed disabling Core Dumps on RHEL - SELinux Updates
On 06/30/2010 10:29 AM, Ben Wiechman wrote: A note for those that may run into this as well. When updating FR to 2.1.9 on RHEL/CentOS with SELinux enabled FreeRADIUS would log the following when it was started: Wed Jun 2 16:19:57 2010 : Error: Failed disabling core dumps: Permission denied Please file a bugzilla against selinux policy. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Failed disabling Core Dumps on RHEL - SELinux Updates
Despite the fact that this was against 2.1.9, not the freeradius2 rpm that is available with RHEL? Ben -Original Message- From: freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users- bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of John Dennis Sent: Wednesday, June 30, 2010 9:56 AM To: FreeRadius users mailing list Subject: Re: Failed disabling Core Dumps on RHEL - SELinux Updates On 06/30/2010 10:29 AM, Ben Wiechman wrote: A note for those that may run into this as well. When updating FR to 2.1.9 on RHEL/CentOS with SELinux enabled FreeRADIUS would log the following when it was started: Wed Jun 2 16:19:57 2010 : Error: Failed disabling core dumps: Permission denied Please file a bugzilla against selinux policy. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Detail accounting by REalm
Hi, I would like to make an expression to replace abc.be and abcnet.be so only one line is nacessary (like realm == ~abc$) ? regex stuff? (realm =~ /~abc[a-zA-Z_]+?\.be/i) ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed disabling Core Dumps on RHEL - SELinux Updates
On 06/30/2010 03:06 PM, Ben Wiechman wrote: Despite the fact that this was against 2.1.9, not the freeradius2 rpm that is available with RHEL? Yes. It's a policy problem and it needs to get fixed. We'll eventually ship 2.1.9 or the core dump fix back ported to an earlier version, it would be nice to know the SELinux policy would just support it when we do ship it. For those like yourself who built 2.1.9 wouldn't it be nice to know the SELinux policy supports it? -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Failed disabling Core Dumps on RHEL - SELinux Updates
Hi, Yes. It's a policy problem and it needs to get fixed. We'll eventually ship 2.1.9 or the core dump fix back ported to an earlier version, it would be nice to know the SELinux policy would just support it when we do ship it. For those like yourself who built 2.1.9 wouldn't it be nice to know the SELinux policy supports it? those that install things from source usually have to fight SELinux all over the place ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm_auth fails for none domain
Hi, We are using freeRADIUS talk to multiple ADs integration. I updated my freeRADIUS from 1.1.6 to 2.1.9 recently. xjtu is our default domain, for users under this domain will only use username to authenticate to RADIUS. With 1.1.6, it will get xjtu as domain; But with 2.1.9, it will not, please see the debug info below. It is the related part in configuration file: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-xjtu} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} It is debug info: [mschap] Told to do MS-CHAPv2 for hhe with NT-Password [mschap] No NT-Domain was found in the User-Name. [mschap] expand: --domain=%{mschap:NT-Domain} - --domain= [mschap] expand: --username=%{mschap:User-Name:-None} - --username=hhe [mschap] mschap2: a6 [mschap] expand: --challenge=%{mschap:Challenge:-00} - --challenge=ddca17e9bfdaf05a [mschap] expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=741e305efc7bce1071682eee0b3c37142b184b9544242304 John # -*- text -*- # # $Id$ # Microsoft CHAP authentication # # This module supports MS-CHAP and MS-CHAPv2 authentication. # It also enforces the SMB-Account-Ctrl attribute. # mschap { #use_mppe = no #require_encryption = yes #require_strong = yes with_ntdomain_hack = yes ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=%{mschap:NT-Domain:-xjtu} --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html