Framed-IP-Address AVP missing
Hi, This query is related to Cisco-7206 equipment behavior. We have a Cisco 7206(IOS12.2(33)) equipment associated with freeRadius server2.1.10. Upon PPPOE client start, dynamic IP is assigned from the IP-Pool to the PPPOE client. However this IP address, is not included in the Frame-IP-Address AVP sent in the Access-Request message from the NAS. Request to provide your inputs on this, as this is reported across other forums(unfortunately, no answers available there :)) I have enabled this AVP inclusion with the NAS command, radius-server attribute 8 include-in-access-req Also find the configuration which I have used for your info: Current configuration : 3420 bytes ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname CISCOBRAS ! boot-start-marker boot-end-marker ! enable secret 5 $1$NS9k$AMTl8utX2OqwQbWtVsNQX0 enable password abcd ! aaa new-model ! ! aaa group server radius bsnl server 172.31.113.137 auth-port 1812 acct-port 1813 ! aaa group server radius gsds server 172.31.113.135 auth-port 1812 acct-port 1813 ! aaa authentication ppp default group radius aaa authorization network default group radius aaa authorization subscriber-service default local aaa accounting network default start-stop broadcast group bsnl group gsds ! ! ! ! aaa server radius dynamic-author client 172.31.113.135 server-key testing123 server-key testing123 auth-type any ignore session-key ! aaa session-id common ip subnet-zero ! ! ! ip cef ip host gsds 172.31.113.135 ip host bsnl 172.31.113.137 ip host isp 172.31.113.137 ip address-pool local ! ! service-policy type control L2_ACCESS redirect server-group GSDS_SRV server ip 172.31.113.135 port 80 ! redirect server-group ISP_SRV server ip 172.31.113.136 port 80 ! multilink bundle-name authenticated no call rsvp-sync ! ! ! ! ! ! ! username abcd password 0 abcd ! class-map type traffic match-any PPP_SESSION_TRAFFIC_GRAS match access-group input name ACL_GRAS_USER ! class-map type traffic match-any PPP_SESSION_TRAFFIC match access-group input name ACL_BSNL_USER ! class-map type control match-all GRASBERG match unauthenticated-domain gsds ! class-map type control match-all PPP_SESSION match protocol ppp ! policy-map type service SVC_GSDS service local class type traffic PPP_SESSION_TRAFFIC_GRAS redirect to group GSDS_SRV ! ! policy-map type service SVC_GSDS_TO_INTERNET service local class type traffic PPP_SESSION_TRAFFIC_GRAS redirect to group ISP_SRV ! ! policy-map type control L2_ACCESS class type control PPP_SESSION event session-start 1 collect identifier unauthenticated-domain 2 service-policy type control DOMAIN_BASED_ACCESS ! ! policy-map type control DOMAIN_BASED_ACCESS class type control GRASBERG event session-start 1 authenticate aaa list default 2 service-policy type service name SVC_GSDS ! ! ! ! ! ! ! bba-group pppoe BSNL_BBA_GROUP virtual-template 1 ! ! interface FastEthernet1/0 ip address 172.31.113.150 255.255.255.0 no ip route-cache cef no ip route-cache duplex full ! interface FastEthernet1/1 description PPPoE ip address 10.10.10.4 255.255.255.0 no ip route-cache cef no ip route-cache duplex full pppoe enable group BSNL_BBA_GROUP ! interface Virtual-Template1 ip unnumbered FastEthernet1/1 peer default ip address pool GRAS_IP_POOL ppp authentication chap callin ! ip local pool GRAS_IP_POOL 10.10.10.20 ip default-gateway 10.10.10.4 ip classless ! ! no ip http server no ip http secure-server ! ip access-list standard ACL_GRAS_USER permit 10.10.10.0 0.0.0.255 ! ! ! radius-server attribute 8 include-in-access-req radius-server attribute 11 default direction in radius-server host 172.31.113.137 auth-port 1812 acct-port 1813 radius-server host 172.31.113.135 auth-port 1812 acct-port 1813 radius-server key testing123 radius-server vsa send accounting radius-server vsa send authentication ! control-plane ! ! dial-peer cor custom ! ! ! ! gatekeeper shutdown ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 password cisco ! end thanks, Raj "DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python and the Tunnel-Private-Group-Id attribute
Sorry, Reading a little deeper into the email, I do not have it the way you set it up. I use eDir for all the DVlan attributes and have Radius query when the user logs in. Most of the assignments are done via Radius profiles in eDir. The Cisco thing I know is the case however, was pulling my hair out using the ID before and found you had to use the name. Hope you get the perl side to work. Thanks Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE >>> On Thursday, February 10, 2011 at 12:47 PM, in message >>> <4d53de6b02690002d...@internetemail.musd.org>, "Brett Littrell" >>> wrote: Hi Bob, I do have this running successfully with eDir. I am guessing you are using the eDir Radius schema extensions? Also, if you are using Cisco equipment, you have to send the vlan name, not the ID. Not sure if other switches require the ID. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE >>> On Thursday, February 10, 2011 at 1:24 AM, in message >>> , Bob Brandt >>> wrote: Not sure if there isn't another forum or mailing list for rlm_python specifically, but... I have been using freeradius for a while now with great results, thanks! We are using a very simple configuration to authenticate users against LDAP (eDirectory) and that part works great! I am trying to add a component that will return the necessary attributes to allow for dynamic VLANs I was able to get this working using the /etc/raddb/users file, however do to the size of the organization, this is very messy. I have started using python to extract this information from another database and return the information. All my testing seems to indicate it should work, but it is not. I believe the problem is in how rlm_python returns the "Tunnel-Private-Group-Id" attribute. My users file (which works) looks like this: # Generic LDAP return attributes DEFAULT Auth-Type == "LDAP" Class = "Staff", Service-Type = Login, Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-ID = 99, Fall-Through = Yes brandtb Reply-Message += "You are a member of the IT Group", Class := "CACS:0/ebf42/ac8c8e6/administrator", Tunnel-Private-Group-ID := 150, Alcatel-Lucent-Asa-Access = "all", Fall-Through = No Below are the two snipets of the debugs. The first is from the old(working) system which uses the users file and the second is from the new system using the rlm_python module: Sending Access-Challenge of id 172 to 10.200.113.99 port 18699 Class := 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72 Service-Type = Login-User Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 := "150" Reply-Message += "You are a member of the IT Group" EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xc146d1a4c144c80f46bec9bc87d3208b Finished request 0. - Sending Access-Challenge of id 130 to 10.200.113.99 port 18673 Reply-Message = "You are a member of the IT Group" Tunnel-Type:0 = VLAN Class = 0x4f5057537461 Class = 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72 Tunnel-Medium-Type:0 = IEEE-802 Service-Type = Login-User Tunnel-Private-Group-Id:0 = "150" EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x8cd4aac48cd6b3a6430ea766ccfa9b91 Finished request 0. The debug output looks for the most part identical! Now, initially when using the users file, I had the same problem I am having now, where the wireless access point was getting the attributes but was not putting me in the correct VLAN. The problem turned out that I was passing a string to the "Tunnel-Private-Group-Id" attribute instead of an integer. Once I removed the quotes from the VLAN ID everything was working perfectly. Thinking that the problem was that within Python I was storing the "Tunnel-Private-Group-Id" attribute as a string I changed it to an integer, however I got immediately got the error: return tuple must be (str,str) I don't know who to get around this and I have not been able to find too many examples of how to use the rlm_python module. Any help would be greatly appreciated. Thanks Bob Brandt -- What's the point of having a rapier wit if I can't use it to stab people? - Jeph Jacques - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python and the Tunnel-Private-Group-Id attribute
Hi Bob, I do have this running successfully with eDir. I am guessing you are using the eDir Radius schema extensions? Also, if you are using Cisco equipment, you have to send the vlan name, not the ID. Not sure if other switches require the ID. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE >>> On Thursday, February 10, 2011 at 1:24 AM, in message >>> , Bob Brandt >>> wrote: Not sure if there isn't another forum or mailing list for rlm_python specifically, but... I have been using freeradius for a while now with great results, thanks! We are using a very simple configuration to authenticate users against LDAP (eDirectory) and that part works great! I am trying to add a component that will return the necessary attributes to allow for dynamic VLANs I was able to get this working using the /etc/raddb/users file, however do to the size of the organization, this is very messy. I have started using python to extract this information from another database and return the information. All my testing seems to indicate it should work, but it is not. I believe the problem is in how rlm_python returns the "Tunnel-Private-Group-Id" attribute. My users file (which works) looks like this: # Generic LDAP return attributes DEFAULT Auth-Type == "LDAP" Class = "Staff", Service-Type = Login, Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-ID = 99, Fall-Through = Yes brandtb Reply-Message += "You are a member of the IT Group", Class := "CACS:0/ebf42/ac8c8e6/administrator", Tunnel-Private-Group-ID := 150, Alcatel-Lucent-Asa-Access = "all", Fall-Through = No Below are the two snipets of the debugs. The first is from the old(working) system which uses the users file and the second is from the new system using the rlm_python module: Sending Access-Challenge of id 172 to 10.200.113.99 port 18699 Class := 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72 Service-Type = Login-User Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 := "150" Reply-Message += "You are a member of the IT Group" EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xc146d1a4c144c80f46bec9bc87d3208b Finished request 0. - Sending Access-Challenge of id 130 to 10.200.113.99 port 18673 Reply-Message = "You are a member of the IT Group" Tunnel-Type:0 = VLAN Class = 0x4f5057537461 Class = 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72 Tunnel-Medium-Type:0 = IEEE-802 Service-Type = Login-User Tunnel-Private-Group-Id:0 = "150" EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x8cd4aac48cd6b3a6430ea766ccfa9b91 Finished request 0. The debug output looks for the most part identical! Now, initially when using the users file, I had the same problem I am having now, where the wireless access point was getting the attributes but was not putting me in the correct VLAN. The problem turned out that I was passing a string to the "Tunnel-Private-Group-Id" attribute instead of an integer. Once I removed the quotes from the VLAN ID everything was working perfectly. Thinking that the problem was that within Python I was storing the "Tunnel-Private-Group-Id" attribute as a string I changed it to an integer, however I got immediately got the error: return tuple must be (str,str) I don't know who to get around this and I have not been able to find too many examples of how to use the rlm_python module. Any help would be greatly appreciated. Thanks Bob Brandt -- What's the point of having a rapier wit if I can't use it to stab people? - Jeph Jacques - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Authenticating SSH login on a Cisco IOS switch to AD
That's fine. I'm refreshing myself on our confs this morn, so I'll be able to help you more effeciently after that. In the mean time ensure your SAMBA works, that can take a little work. Also, obtain the SID of the AD group you want to check membership of. NTLM_AUTH says it can use the group "name", but I tried several different syntax and could only get it working with the SID. From: Schaatsbergen, Chris [mailto:chris.schaatsber...@aleo-solar.de] Sent: Thursday, February 10, 2011 05:31 AM To: FreeRadius users mailing list Subject: AW: Authenticating SSH login on a Cisco IOS switch to AD Gary Would you mind if I contacted you directly (I have your e-mail) about this? I have seen a very nice discussion and reading this a second time has proven that what you describe here is exactly what we are looking for. But I would still really appreciate some help getting it to work. Thanks, Chris Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Gary Gatten Gesendet: Mittwoch, 9. Februar 2011 17:11 An: 'FreeRadius users mailing list' Betreff: RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and “require-membership-of” works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is “authorized” locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our “dev” FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I’ll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else… G From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE >>> On Wednesday, February 09, 2011 at 7:24 AM, in message >>> <604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>, "Schaatsbergen, >>> Chris" wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or
EAP and Accounting
I am working with a NAS that only sends accounting packets with the EAP style username. Other than matching up =7Bam=3D1=7df717cc32fff26ff29ca0baac5833f...@wimax.com with "b...@wimax.com" manually in the database are there other methods for achieving this? David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: Authenticating SSH login on a Cisco IOS switch to AD
Oliver Elliott wrote: > I had a look into this and as far as I could tell, the conversation > between the switch and the radius server was not encrypted unless you > use TACACS. Does anyone know if this conversation can be encrypted while > using Freeradius, as otherwise the domain login details are presumably > being sent over the network in clear text? RADIUS passwords are always encrypted. If you want a "real" TACACS+ server, add TACACS+ support to FreeRADIUS. It isn't hard. i.e. probably ~2K LoC. But I haven't had the incentive to do it yet. After that, maybe ARP. I've been looking at the "arpwatch" programs, and none of them talk to databases. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get fractions of seconds?
Ramon J. Castillo wrote: > I see it useful too, when specifying for example "response_window" that > instead of be 1 "One second" could be 1200 as in "twelve > hundred milliseconds". I'm surprised that would be useful. > I have found some devices that time out in 3 seconds , The vendors need to read RFC 5080. > in these cases > you still want to retry at least once . Of course here the network delay > is kept under 300 milliseconds end to end. The server doesn't do retries, only the NAS does. So changing the response_window will likely not help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python and the Tunnel-Private-Group-Id attribute
My only observation right now is that there is a colon (:=)in the debug of the working server. Would that make any difference? On Thu, Feb 10, 2011 at 11:09 AM, Alan DeKok wrote: > > > Below are the two snipets of the debugs. The first is from the > > old(working) system which uses the users file and the second is from the > > new system using the rlm_python module: > ... > > Tunnel-Private-Group-Id:0 := "150" > ... > > Tunnel-Private-Group-Id:0 = "150" > ... > > The debug output looks for the most part identical! > > Yup. > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Authenticating SSH login on a Cisco IOS switch to AD
Gary Would you mind if I contacted you directly (I have your e-mail) about this? I have seen a very nice discussion and reading this a second time has proven that what you describe here is exactly what we are looking for. But I would still really appreciate some help getting it to work. Thanks, Chris Von: freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org [mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Gary Gatten Gesendet: Mittwoch, 9. Februar 2011 17:11 An: 'FreeRadius users mailing list' Betreff: RE: Authenticating SSH login on a Cisco IOS switch to AD Authentication with ntlm-auth and "require-membership-of" works well for us. Right now we simply authenticate the login/vty session with AD, and the secret is "authorized" locally by the switch. So, each person gets the vty session with their own unique credentials validated via ntlm-auth and AD. Everyone knows the secret password. Works well. On our "dev" FR instance I have an FR users file to return various Cisco attribute-value pairs. This works well too. Somewhere down the road I'll go for a full authorization process with AD on the back side, or since a relatively small number of users access our gear, might just stick to users file. Guess it depends how skilled I get with LDAP/AD/unlang/whatever else... G From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Wednesday, February 09, 2011 9:57 AM To: FreeRadius users mailing list Subject: Re: Authenticating SSH login on a Cisco IOS switch to AD Hi Chris, We use TACACS+ to administer our switches here and I can tell you that I had to add extra stuff to the TACACS replies to allow authorization to manage the switches. So you may be able to login via radius but somewhere you are going to have to send information to the switch on what authorization is given per user. This means that your going to have to have AD respond with this information or have some other method that will inject those values when you login. I think it is possible but I do not think it will be to easy if you are only using AD as the back-end, you may need to use local files to define groups with attributes or some scripts to inject the values Cisco wants. Hope that helps. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE >>> On Wednesday, February 09, 2011 at 7:24 AM, in message >>> <604AAF035805AB46B4F293945AE8F9FC182FEB879C@pzex01-07>, "Schaatsbergen, >>> Chris" wrote: Greetings all, We have a couple of Cisco switches that we administer using SSH sessions. Now I have been asked if we can authenticate the SSH login on our Windows 2008 Active Directory using our Freeradius (2.1.10) installation. I have been looking and found: http://wiki.freeradius.org/Cisco for authenticating inbound shell users and http://deployingradius.com/documents/configuration/active_directory.html for authenticating users on AD. Now I am trying to combine those two. On the Freeradius server Samba and Kerberos are configured, the ntlm_auth returns an NT_STATUS_OK. First question: Would this at all be possible? And if so my second question: Unfortunately, when I add ntlm_auth to the authenticate section of sites-enabled/default and run freeradius -X I get an error that the ntlm_auth module could not be loaded though I have created the ntlm_auth file in the modules folder as described in the link. How should I get that to work? Help would be highly appreciated. Chris Schaatsbergen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_python and the Tunnel-Private-Group-Id attribute
Bob Brandt wrote: > All my testing seems to indicate it should work, but it is not. I > believe the problem is in how rlm_python returns the > "Tunnel-Private-Group-Id" attribute. As a string. The server core parses it into whatever is necessary. Date, IP address, etc. > Below are the two snipets of the debugs. The first is from the > old(working) system which uses the users file and the second is from the > new system using the rlm_python module: ... > Tunnel-Private-Group-Id:0 := "150" ... > Tunnel-Private-Group-Id:0 = "150" ... > The debug output looks for the most part identical! Yup. > Now, initially when using the users file, I had the same problem I am > having now, where the wireless access point was getting the attributes > but was not putting me in the correct VLAN. The problem turned out that > I was passing a string to the "Tunnel-Private-Group-Id" attribute > instead of an integer. Once I removed the quotes from the VLAN ID > everything was working perfectly. Hmm... I don't see why. The attribute is defined to be a string. Using quotes or not shouldn't make any difference. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_python and the Tunnel-Private-Group-Id attribute
Not sure if there isn't another forum or mailing list for rlm_python specifically, but... I have been using freeradius for a while now with great results, thanks! We are using a very simple configuration to authenticate users against LDAP (eDirectory) and that part works great! I am trying to add a component that will return the necessary attributes to allow for dynamic VLANs I was able to get this working using the /etc/raddb/users file, however do to the size of the organization, this is very messy. I have started using python to extract this information from another database and return the information. All my testing seems to indicate it should work, but it is not. I believe the problem is in how rlm_python returns the "Tunnel-Private-Group-Id" attribute. My users file (which works) looks like this: # Generic LDAP return attributes DEFAULT Auth-Type == "LDAP" Class = "Staff", Service-Type = Login, Tunnel-Medium-Type = IEEE-802, Tunnel-Type = VLAN, Tunnel-Private-Group-ID = 99, Fall-Through = Yes brandtb Reply-Message += "You are a member of the IT Group", Class := "CACS:0/ebf42/ac8c8e6/administrator", Tunnel-Private-Group-ID := 150, Alcatel-Lucent-Asa-Access = "all", Fall-Through = No Below are the two snipets of the debugs. The first is from the old(working) system which uses the users file and the second is from the new system using the rlm_python module: Sending Access-Challenge of id 172 to 10.200.113.99 port 18699 Class := 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72 Service-Type = Login-User Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 := "150" Reply-Message += "You are a member of the IT Group" EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0xc146d1a4c144c80f46bec9bc87d3208b Finished request 0. - Sending Access-Challenge of id 130 to 10.200.113.99 port 18673 Reply-Message = "You are a member of the IT Group" Tunnel-Type:0 = VLAN Class = 0x4f5057537461 Class = 0x434143533a302f65626634322f616338633865362f61646d696e6973747261746f72 Tunnel-Medium-Type:0 = IEEE-802 Service-Type = Login-User Tunnel-Private-Group-Id:0 = "150" EAP-Message = 0x010200061920 Message-Authenticator = 0x State = 0x8cd4aac48cd6b3a6430ea766ccfa9b91 Finished request 0. The debug output looks for the most part identical! Now, initially when using the users file, I had the same problem I am having now, where the wireless access point was getting the attributes but was not putting me in the correct VLAN. The problem turned out that I was passing a string to the "Tunnel-Private-Group-Id" attribute instead of an integer. Once I removed the quotes from the VLAN ID everything was working perfectly. Thinking that the problem was that within Python I was storing the "Tunnel-Private-Group-Id" attribute as a string I changed it to an integer, however I got immediately got the error: return tuple must be (str,str) I don't know who to get around this and I have not been able to find too many examples of how to use the rlm_python module. Any help would be greatly appreciated. Thanks Bob Brandt -- What's the point of having a rapier wit if I can't use it to stab people? - Jeph Jacques - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + Cygwin + Active Directory authentication?
Moe, John wrote: > I'm trying to set up a FreeRADIUS server in our organization, and the > corporate preference is to run on Windows. I've got FreeRADIUS to compile > and have successfully completed the PAP test (from > http://deployingradius.com/documents/configuration/pap.html) to make sure it > works. That's a bit of work. I haven't bothered trying that in a while. > Now I'm looking to set up Active Directory authentication. To do > that, all the documentation I've read is geared towards Linux servers > running Samba. From what I gather, it uses the ntlm_auth program to > authenticate to the Windows Active Directory, which returns "NT_KEY output, > which is needed in order for FreeRADIUS to perform MS-CHAP authentication." > > Is there a way I can do this on a Windows/Cygwin server? Not really, no. There isn't much point, either. The *correct* way to do it on Windows would be to use some Windows MS-CHAP APIs to authenticate (if those exist). There could be a Windows-specific MS-CHAP module. But that takes time. My $0.02: run a VMware image of Linux on the Windows box. FreeRADIUS doesn't need a whole lot of CPU power, so it shouldn't be a problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + Cygwin + Active Directory authentication?
Hi, > Frankly, running Free Radius on windows sounds like a bad idea, > especially should you ever need to update it or have another person > (maybe 5 years down the road) change it a bit. Generally, running > server process under cygwin is a lot of extra work for not much > convenience. I would suggest either running it on a linux server (and > documenting everything you do) or running a different RADIUS server > that natively runs on windows. somewhat reluctantly I would agree with this either run FreeRADIUS is its 'full environment' - eg with SAMBA on a Linux BSD etc box - follow all the docs/guides and ensure any local changes are clearly documented, or, run native RADIUS on the Windows box - NPS or IAS - as they are already fully integrated oh. there is the 3rd option run FreeRADIUS on its own system - and then just proxy the AD stuff to the IAS/NPS box to deal with. this gives you all the power/flexibility of FreeRADIUS and just leverages the IAS/NPS box to do the AD grunt work. (actually, that last option is the most palatable :-) ) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html