Re: AD Authentication + radius + foundryAP
Mark Pipkin wrote: > With all of the frustration I nuked all of FreeRadius from the server > using 'aptitude purge freeradius freeradius-common freeradius-utils'. > This cleaned up all of my changes. Then I reinstalled FreeRadius. i.e. start from the default configuration. >>From here I followed the "Updated tutorial" until I got to: Configuring > FreeRADIUS to use ntlm_auth for MS-CHAP. When I reached this section, > and I had everything working, I went back to the original HowTo and read > though it. (note to self: don't just a head just because a HowTo seems > to good to be true. And then follow the documentation. It *will* work. > The "Updated tutorial" doesn't let you know anything about peap, > with_ntdomain_hack, the default setting of eap, or setting up clients. > So it is not, in my opinion a complete walk though. Sure. It documents one piece of the server functionality. For the rest, documentation generally exists. > Currently everything is working. I'm able to authenticate though radius > using Windows 2000 AD. > > Resolved. Exactly. The frustration I generally show is people (a) butchering the default configs, (b) refusing to follow the docs, and (c) arguing when told "don't do that". It's really not hard. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory groups
That is the fun i am having. The baseDN of dc=AD,dc=ne,dc=gov DOES work from ldapsearch and these are actually the credentials i have received from our LDAP admins. One of the more specific options I received must be wrong That all being said though you are responding with an answer that at least lets me know that my syntax is correct, even if the information I am receiving from the local LDAP folks is not. Thanks for your help. On Fri, 2011-05-20 at 17:03 +0100, Phil Mayers wrote: > On 20/05/11 16:27, Doty, Seth wrote: > > I changed my baseDN to: basedn = ou=test,dc=AD,dc=ne,dc=gov and this > > results in the same failure in the group section. > > rlm_ldap: object not found > > rlm_ldap::ldap_groupcmp: search failed > > > > > > I cant remove the ou=test portion or authentication fails completely and > > i get a reject: > > [ldap] performing user authorization for seth.doty > > [ldap] expand: %{Stripped-User-Name} -> > > [ldap] expand: %{User-Name} -> seth.doty > > [ldap] expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> > > (CN=seth.doty) > > [ldap] expand: dc=ad,dc=ne,dc=gov -> dc=ad,dc=ne,dc=gov > > rlm_ldap: ldap_get_conn: Checking Id: 0 > > rlm_ldap: ldap_get_conn: Got Id: 0 > > rlm_ldap: attempting LDAP reconnection > > rlm_ldap: closing existing LDAP connection > > rlm_ldap: (re)connect to ad.ne.gov:389, authentication 0 > > rlm_ldap: bind as stn\seth.doty/ to stone.ne.gov:389 > > rlm_ldap: waiting for bind result ... > > rlm_ldap: Bind was successful > > rlm_ldap: performing search in dc=ad,dc=ne,dc=gov, with filter > > (CN=seth.doty) > > rlm_ldap: ldap_search() failed: Operations error > > You're just putting random things into the ldap config and hoping it > will work. > > Go and speak to the people who run your LDAP service. Ask them for the > correct base DN, bind DN and credentials, group filters and so forth. > > Try these LDAP parameters from the command line using ldapsearch. When > it's working, try them with FreeRADIUS. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory groups
On 20/05/11 16:27, Doty, Seth wrote: I changed my baseDN to: basedn = ou=test,dc=AD,dc=ne,dc=gov and this results in the same failure in the group section. rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed I cant remove the ou=test portion or authentication fails completely and i get a reject: [ldap] performing user authorization for seth.doty [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> seth.doty [ldap] expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=seth.doty) [ldap] expand: dc=ad,dc=ne,dc=gov -> dc=ad,dc=ne,dc=gov rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to ad.ne.gov:389, authentication 0 rlm_ldap: bind as stn\seth.doty/ to stone.ne.gov:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=ad,dc=ne,dc=gov, with filter (CN=seth.doty) rlm_ldap: ldap_search() failed: Operations error You're just putting random things into the ldap config and hoping it will work. Go and speak to the people who run your LDAP service. Ask them for the correct base DN, bind DN and credentials, group filters and so forth. Try these LDAP parameters from the command line using ldapsearch. When it's working, try them with FreeRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory groups
I changed my baseDN to: basedn = ou=test,dc=AD,dc=ne,dc=gov and this results in the same failure in the group section. rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed I cant remove the ou=test portion or authentication fails completely and i get a reject: [ldap] performing user authorization for seth.doty [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> seth.doty [ldap] expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=seth.doty) [ldap] expand: dc=ad,dc=ne,dc=gov -> dc=ad,dc=ne,dc=gov rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to ad.ne.gov:389, authentication 0 rlm_ldap: bind as stn\seth.doty/ to stone.ne.gov:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=ad,dc=ne,dc=gov, with filter (CN=seth.doty) rlm_ldap: ldap_search() failed: Operations error [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail On Fri, 2011-05-20 at 15:26 +0100, Phil Mayers wrote: > On 20/05/11 15:14, Doty, Seth wrote: > > I must be doing something wrong in my filtering because it keeps dumping > > me into unclassified instead of passing the group I assigned. I have > > setup a security group specifically for this test and i am indeed in the > > group. > > > > I set it up like this in sites-enabled/inner-tunnel because it seemed > > this manner was a little more flexible for our needs: > > > > post-auth { > > if (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security > > Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") { > > This is wrong. You don't give the group DN. You give the value of > "groupname_attribute" in the ldap module, defaults to "cn", i.e. > > post-auth { >if (Ldap-Group == STNS_Wireless_Authentication) { > .. >} > } > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AD Authentication + radius + foundryAP
I don't like leaving things unresolved and just laying around like so many other post that I have ran across. I guess Alan DeKok scares them off with the "It's in plain view dumb ass" attitude. I'm sure after answering the questions over and over again, it is about the only response that someone can give who it just tired of the same old questions and wants a challenge. With that being said... On Ubuntu 10.04 w/ updates, FreeRadius 2.1.8, Windows XP/7, and W2K AD The wiki has a HowTo on AD http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO At the very top of this page there is: Updated tutorial for freeradius 2.x is at: http://deployingradius.com/documents/configuration/active_directory.html This is all well and good, but I jumped straight to that link. There seems to be some information that is left out and that is important in the "Updated tutorial." With all of the frustration I nuked all of FreeRadius from the server using 'aptitude purge freeradius freeradius-common freeradius-utils'. This cleaned up all of my changes. Then I reinstalled FreeRadius. >From here I followed the "Updated tutorial" until I got to: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP. When I reached this section, and I had everything working, I went back to the original HowTo and read though it. (note to self: don't just a head just because a HowTo seems to good to be true. The "Updated tutorial" doesn't let you know anything about peap, with_ntdomain_hack, the default setting of eap, or setting up clients. So it is not, in my opinion a complete walk though. There is light though. Once you I got to the point where ntlm_auth was working for me, I started back on the wiki HowTo and went to the section 'Configuration of clients.conf'. Set the client up. Client foundryAP { Ipaddr = 192.168.0.1 Secret = testing123 } In the Configuration of radius.conf section (this parts seems more like the 1. Config) the 'with_ntdomain_hack = yes' this was found in the ~/modules/mschap file. You don't need 'auth-type = MS-CHAP'. For ntlm_auth I'm using: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=DOMAIN+group" The eap.conf section of the HowTo was spot on. I also set the clients up, this was pointed out to me earlier in this tread twice, so make sure your client is setup correctly as well. Currently everything is working. I'm able to authenticate though radius using Windows 2000 AD. Resolved. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory groups
On 20/05/11 15:14, Doty, Seth wrote: I must be doing something wrong in my filtering because it keeps dumping me into unclassified instead of passing the group I assigned. I have setup a security group specifically for this test and i am indeed in the group. I set it up like this in sites-enabled/inner-tunnel because it seemed this manner was a little more flexible for our needs: post-auth { if (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") { This is wrong. You don't give the group DN. You give the value of "groupname_attribute" in the ldap module, defaults to "cn", i.e. post-auth { if (Ldap-Group == STNS_Wireless_Authentication) { .. } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active directory groups
I must be doing something wrong in my filtering because it keeps dumping me into unclassified instead of passing the group I assigned. I have setup a security group specifically for this test and i am indeed in the group. I set it up like this in sites-enabled/inner-tunnel because it seemed this manner was a little more flexible for our needs: post-auth { if (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") { update reply { Filter-Id := networking } } else { update reply { Filter-Id := secure-unclassified } } here is my radius -X: FreeRADIUS Version 2.1.7, for host x86_64-redhat-linux-gnu, built on Mar 31 2010 at 00:14:28 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/krb5 including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/ldap including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/ldap.save including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel group = radiusd user = radiusd including dictionary file /etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retr
Re: /etc/raddb/radiusd.conf[249]: Error binding to port for :: port 1812
Hi, You can recheck the same with ps-ef with grep, may be some process is still there, if you get then kill it or you can try netstat to check for which service 1812 is used for. Regards, Pradyumna On Fri, May 20, 2011 at 3:02 PM, Dougan, Linda A wrote: > I just upgraded to net-dialup/freeradius-2.1.7 on a* gentoo* linux > server. > > I have already checked to see if there is anything listening on port 1812 > including freeradius and there is nothing on that port. Any help would be > greatly appreciated. > > > > This is my radiusd-X output. > > > > FreeRADIUS Version 2.1.7, for host i686-pc-linux-gnu, built on May 12 2011 > at 10:43:07 > > Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. > > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A > > PARTICULAR PURPOSE. > > You may redistribute copies of FreeRADIUS under the terms of the > > GNU General Public License v2. > > Starting - reading configuration files ... > > including configuration file /etc/raddb/radiusd.conf > > including configuration file /etc/raddb/proxy.conf > > including configuration file /etc/raddb/clients.conf > > including files in directory /etc/raddb/modules/ > > including configuration file /etc/raddb/modules/cui > > including configuration file /etc/raddb/modules/pam > > including configuration file /etc/raddb/modules/pap > > including configuration file /etc/raddb/modules/otp > > including configuration file /etc/raddb/modules/chap > > including configuration file /etc/raddb/modules/echo > > including configuration file /etc/raddb/modules/exec > > including configuration file /etc/raddb/modules/expr > > including configuration file /etc/raddb/modules/ldap > > including configuration file /etc/raddb/modules/krb5 > > including configuration file /etc/raddb/modules/perl > > including configuration file /etc/raddb/modules/unix > > including configuration file /etc/raddb/modules/inner-eap > > including configuration file /etc/raddb/modules/radutmp > > including configuration file /etc/raddb/modules/counter > > including configuration file /etc/raddb/modules/acct_unique > > including configuration file /etc/raddb/modules/files > > including configuration file /etc/raddb/modules/realm > > including configuration file /etc/raddb/modules/wimax > > including configuration file /etc/raddb/modules/mac2vlan > > including configuration file /etc/raddb/modules/linelog > > including configuration file /etc/raddb/modules/sqlcounter_expire_on_login > > including configuration file /etc/raddb/modules/detail.example.com > > including configuration file /etc/raddb/modules/checkval > > including configuration file /etc/raddb/modules/logintime > > including configuration file /etc/raddb/modules/sql_log > > including configuration file /etc/raddb/modules/sradutmp > > including configuration file /etc/raddb/modules/always > > including configuration file /etc/raddb/modules/attr_rewrite > > including configuration file /etc/raddb/modules/krb5 > > including configuration file /etc/raddb/modules/perl > > including configuration file /etc/raddb/modules/unix > > including configuration file /etc/raddb/modules/inner-eap > > including configuration file /etc/raddb/modules/radutmp > > including configuration file /etc/raddb/modules/counter > > including configuration file /etc/raddb/modules/acct_unique > > including configuration file /etc/raddb/modules/files > > including configuration file /etc/raddb/modules/realm > > including configuration file /etc/raddb/modules/wimax > > including configuration file /etc/raddb/modules/mac2vlan > > including configuration file /etc/raddb/modules/linelog > > including configuration file /etc/raddb/modules/sqlcounter_expire_on_login > > including configuration file /etc/raddb/modules/detail.example.com > > including configuration file /etc/raddb/modules/checkval > > including configuration file /etc/raddb/modules/logintime > > including configuration file /etc/raddb/modules/sql_log > > including configuration file /etc/raddb/modules/sradutmp > > including configuration file /etc/raddb/modules/always > > including configuration file /etc/raddb/modules/attr_rewrite > > including configuration file /etc/raddb/modules/detail > > including configuration file /etc/raddb/modules/digest > > including configuration file /etc/raddb/modules/ippool > > including configuration file /etc/raddb/modules/mac2ip > > including configuration file /etc/raddb/modules/mschap > > including configuration file /etc/raddb/modules/smbpasswd > > including configuration file /etc/raddb/modules/passwd > > including configuration file /etc/raddb/modules/policy > > including configuration file /etc/raddb/modules/smsotp > > including configuration file /etc/raddb/modules/etc_group > > including configuration file /etc/raddb/modules/preprocess > > including configuration file /etc/raddb/modules/attr_filter > > including configuration file /etc/raddb/modules/detail.log > > including configuration file /etc/raddb/modu
Re: /etc/raddb/radiusd.conf[249]: Error binding to port for :: port 1812
Dougan, Linda A wrote: > I just upgraded to net-dialup/freeradius-2.1.7 Upgrade to 2.1.10. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Max-Octets
Brent wrote: > However it is not disconecting the user from the network once limmit has > been reached , RADIUS doesn't disconnect users. Most NAS softwtware doesn't pay attention to any "max octets" attribute in the Access-Accept. For chillispot, see the chillispot documentation and/or mailing lists for how to debug it. > Any ideas on how i can disconect the user , Run a script that disconnects the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Max-Octets
Please help i`ve configured the follow to enforce data limmits per user , sqlcounter noresetBytecounter { counter-name = Total-Max-Octets check-name = Max-Octets reply-name = ChilliSpot-Max-Total-Octets sqlmod-inst = sql key = User-Name reset = never query = "SELECT (SUM(AcctInputOctets)+SUM(AcctOutputOctets)) FROM radacct WHERE UserName='%{%k}'" } However it is not disconecting the user from the network once limmit has been reached , however if i log the user out and back in it then says user limmit reached , Any ideas on how i can disconect the user , PS : i have added chillispots dictionary to freeradius dictionary Many Thanks Brent -- View this message in context: http://freeradius.1045715.n5.nabble.com/Max-Octets-tp4412382p4412382.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm_auth authentication results logging messages
On 05/19/2011 08:04 PM, John Douglass wrote: Now, the actual ntlm_auth command within the $RADIUS/modules/mschap does read: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" So it's not doing necessarily the same kind of authentication command as I was doing above but I have no idea how to simulate a challege request on command line to verify :) You can just run FreeRADIUS in debug mode and capture any ntlm_auth command line - they're re-usable, the "response" value is the same every time for a given challenge, username and password. Security revolves around the challenge being random and not re-used. (I have some utilities for generating the response that I keep meaning to stick in an AppEngine page at some point) Login incorrect (mschap: External script says Logon failure (0xc06d)): [asdf/] (from client LAWN-WiSM port 29 cli 00-25-00-f5-a3-2b via TLS tunnel) However, "Logon failure" is nebulous when it could be either "bad password", "account disabled", or "no such user" that comes out of the "ntlm_auth" command (at least when I run it by hand). Is this the fault of the results of ntlm_auth being vague or is something else at play? The former. As you noted above, you were testing with username/password auth as opposed to challenge/response auth. The latter gives a much smaller, less interesting (but arguably more secure) set of error codes. About all you get other than "Login failure" is "Password expired" (which the recent MS-CHAP password change patch I wrote looks for and acts on) This is for boring reasons to do with the way Samba makes the RPC call against the domain, and gradual changes in Windows about what error codes it leaks (if you think about it, leaking the difference between "invalid user" and "invalid password" makes user/pass dictionary attacks easier) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on windows server 2008
Thanks for your post. I know I can solve the problem by bypassing it. But it's not what I'm looking for. I just want to understand what is going wrong here in this particular case. It's just a test server on which I try some stuff. I'm sure a Linux VM will work just fine :) -- View this message in context: http://freeradius.1045715.n5.nabble.com/Freeradius-on-windows-server-2008-tp4411813p4412001.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius on windows server 2008
heavysilence wrote: > Running FreeRadius.net version 1.1.7 r0.0.2 on Windows Server 2008 That hasn't been updated for a *long* time. > Authentication works fine in Debug mode.But starting the service normally, > nothing happens. No response from the radius server.Tried to set user = > nobody group = shadow user = root and all stuff thats looks like that in > every combination I could imagine. Still not working Run it on a Linux VM, on Windows. That way you can use a recent version of the server, with all of the bug fixes && new features. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html