Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, more broadly, setting Stripped-User-Name)
Jacob Dawson wrote:
Further testing suggests that neither of the Perl or Realm modules is
applying the Stripped-User-Name in the right scope.
I have no idea what that means. The Stripped-User-Name isn't magic.
It's just an attribute. If it exists in the request list, you can refer
to it via %{Stripped-User-Name}
If it's magically disappearing, then it's because something in your
configuration is making it disappear. The default configuration works,
and doesn't do this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General wiki rules
On Jul 14, 2011, at 9:57 PM, Phil Mayers wrote:
On 07/14/2011 06:09 PM, Arran Cudbard-Bell wrote:
1. HTML tags like 'pre' will not be parsed by all renderers, just
because it works in Gollum, doesn't mean it will work with a proper
renderer for that markup format.
For markdown its 3 spaces or a tab in front of every line, for RST
it's double colon, return, 4 spaces indent in front of every line.
I strongly, strongly, strongly dislike (i.e. hate) this mode of doing code
or config files.
Why? Because if you use pre or MoinMoin style {{{ you can just copy/paste
straight from the config file(s) you're pulling the examples from without
having to prepend whitespace.
If you make me indent using whitespace to get preformatted text, then you've
lost me I'm afraid; I just won't bother. Those few seconds push the cost too
high.
Ok. I'm not saying these things to be an asshole. The point of moving to Gollum
was that users would be able to contribute to the bundled documentation. The
wiki now serves as a repository for server docs (or will do once we figure out
subtrees), it just also happens to render those documents into HTML.
If you were rewriting server documentation which you knew was going to be read
in plaintext format, would you start adding random HTML markup? The point of
RST is that while it can be rendered up into another format such as HTML
document, it should be just as easy to read and understand in its raw form.
2. The main reason for moving to Gollum was so that users could
contribute directly to documentation without needing to learn GIT.
The end goal is to distribute the entire wiki with the server tar
ball, which means people will be reading just the plaintext source.
In which case, my argument holds the other way; people will want to
copy/paste straight out of the examples.
If they're pasting into a virtual server instance they're going to need to
indent at least one set of tabs if they want to keep the config looking pretty.
If they don't care then not having the code indented won't matter to them
either way..
You need to come up with something better for preformatted code IMHO. Your
choice of course.
There is no better alternative. You need to indent code blocks for them to be
easily legible, as it breaks them out of the normal flow of the document.
If it's going to be a huge issue I could probably add something to gollum which
converts pre tags into the appropriate white space scheme before committing
the text to the repository. Would you still have an issue with this?
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Op 14 jul 2011, om 21:30 heeft Alexander Clouter het volgende geschreven:
Serge van Namen svna...@snow.nl wrote:
I'm working on a proof-of-concept for 802.1x and dynamic vlan's on
switches.
All this works perfectly with user@realm, but now I want to read the
vlan ID from a ldap attribute and then send the radius request with
that value in Tunnel-Private-Group-ID.
Reading an attribute for this is argubly silly in the context of LDAP.
Better to test for a group membership otherwise you might aswell shovel
everything in a relational database like SQL.
In our situation the user is bound to a VLAN, so on every workstation in the
building the user authenticates and the switchport
becomes a member of the correct VLAN.
Correct me if I'm wrong but then we have to administer a separate database for
hosts ( and in our case users )
Now we have 2 auth-types en autz-type's.
1 connects with cn=x,dc=example,dc=com (VLANid x)
1 connects with cn=y,dc=example,dc=com (VLANid y)
Depending on the realm the user indicates when logging in (user@realm),
autheticates and puts the Tunnel-Private-Group-Id in the reply with the
correct VLAN id.
The problem: When using 'Login Window' based 802.1x.
So when user puts in it's user/pass at the login window, it does it's 802.1x
magic.
But with user@realm, LDAP doesnt understands this ofcourse, so the @realm needs
to be stripped when authenicating to LDAP.
So:
user@realm --- radius reads the realm, strips the @realm so LDAP understands,
makes it's auth/autz-type.
I hope you catch my drift. :)
For us we create host LDAP objects, and then those objects are members
of a LDAP group which has details regarding the VLAN in it (and
subnetting, etc etc).
I am slowly cobbling bits together on my website[1]. My post-auth looks
like:
post-auth {
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if ((EAP-Message) !(Ldap-UserDn)) {
cache_ldap-userdn
}
lanwarden_vlan
if (!(control:Tunnel-Private-Group-Id) ||
control:Tunnel-Private-Group-Id == ) {
if (Realm == DEFAULT) {
update reply {
Tunnel-Private-Group-Id := eduroam
}
}
# to be removed once we register personal workstations
elsif (Realm == %{config:local.MY.realm}) {
update reply {
Tunnel-Private-Group-Id :=
users-unmanaged
}
}
}
else {
update reply {
Tunnel-Private-Group-Id :=
%{control:Tunnel-Private-Group-Id}
}
}
if (reply:Tunnel-Private-Group-Id != unauthorised) {
update reply {
# Cisco only support a max of 65535
Session-Timeout := 64800
}
}
}
'cache_ldap-userdn' you can find in the archives and the reasoning for
it, meanwhile lanwarden_vlan lurks in policy.conf and looks like:
lanwarden_vlan {
if ((control:Ldap-UserDn)) {
if (%{md5:%{client:secret}%{Calling-Station-Id}%l} =~
/[0-7]$/) {
update control {
Tunnel-Private-Group-Id :=
%{ldap_lanwarden1:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?((objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}
}
if (control:Tunnel-Private-Group-Id == ) {
update control {
Tunnel-Private-Group-Id :=
%{ldap_lanwarden2:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?((objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}
}
}
}
else {
update control {
Tunnel-Private-Group-Id :=
%{ldap_lanwarden2:ldap:///ou=Networks,ou=LanWarden,o=soas?cn?one?((objectClass=lanwardenNetwork)(member=%{control:Ldap-UserDn}))}
}
if (control:Tunnel-Private-Group-Id == ) {
update control {
Re: General wiki rules
Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
There is no better alternative. You need to indent code blocks for
them to be easily legible, as it breaks them out of the normal flow of
the document.
I think that's Phil's point. The code he is cutting and pasting in is
no doubt already indented. However, what it probably has is either:
* no initial indentation (start tab or space)
* that indential probably is a tab rather than spacespace
I love dokuwiki for documentation, but it is a right ballache to find
that when you cut and paste in your configuration snippet I *then* have
to go through spacespacehomedown-cursorgoto 10 before it is
usable.
Sure it seems not a biggy, but it is a right turnoff and makes us all
less inclinded to put in the effort.
If it's going to be a huge issue I could probably add something to
gollum which converts pre tags into the appropriate white space
scheme before committing the text to the repository. Would you still
have an issue with this?
That would be pretty schweet. I would not 'pre-process' the text, I
would make sure those pre/{{{/whatever remains intact so you do not
suffer indentation pain when editing existing content.
Cheers
--
Alexander Clouter
.sigmonster says: I'm having a MID-WEEK CRISIS!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General wiki rules
On Jul 15, 2011, at 10:30 AM, Alexander Clouter wrote:
Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
There is no better alternative. You need to indent code blocks for
them to be easily legible, as it breaks them out of the normal flow of
the document.
I think that's Phil's point. The code he is cutting and pasting in is
no doubt already indented. However, what it probably has is either:
* no initial indentation (start tab or space)
* that indential probably is a tab rather than spacespace
Hmm re-reading the RST spec it seems that any indentation will work (i.e. one
space before each line, or one tab).
To just include a chunk of preformatted, never-to-be-fiddled-with text, finish
the prior paragraph with ::. The preformatted block is finished when the text
falls back to the same indentation level as a paragraph prior to the
preformatted block. For example:
An example::
Whitespace, newlines, blank lines, and all kinds of markup
(like *this* or \this) is preserved by literal blocks.
Lookie here, I've dropped an indentation level
(but not far enough)
no more example
Is that any better? I mean you don't *have* to edit the wiki page in situ,
usually I copy the text out of the webpage into BBEdit the paste it back...
What we could do for the very active Git savy contributors would be to enable
commit access to the wiki's repo, then you could work on the documents in gvim,
vim, emacs... whatever at which point indenting blocks of code becomes very
easy.
Also lets you work on pages offline.
I love dokuwiki for documentation, but it is a right ballache to find
that when you cut and paste in your configuration snippet I *then* have
to go through spacespacehomedown-cursorgoto 10 before it is
usable.
Sure it seems not a biggy, but it is a right turnoff and makes us all
less inclinded to put in the effort.
If it's going to be a huge issue I could probably add something to
gollum which converts pre tags into the appropriate white space
scheme before committing the text to the repository. Would you still
have an issue with this?
That would be pretty schweet. I would not 'pre-process' the text, I
would make sure those pre/{{{/whatever remains intact so you do not
suffer indentation pain when editing existing content.
But that'd mean i'd have to do the reverse when displaying the src, and I
actually like viewing the src with indented code blocks compared to pre tags
*sigh*.
I could add a javascript function mapped to a key combo, that indents selected
lines by one tab (more universal than spaces)?
-Arran
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Serge van Namen svna...@snow.nl wrote: In our situation the user is bound to a VLAN, so on every workstation in the building the user authenticates and the switchport becomes a member of the correct VLAN. I *strongly* recommend not mixing host and user authentication, it's just too much of a brain explitive. What happens on a computer you can SSH, terminal services into...user or host authentication? Sure you can generalise, but you might as well just ignore the problem altogether. Another example, user A walks in and authenticates themselves to the network and goes into VLAN x, that user then goes to lunch and evil user B starts to use the machine... Obviously we all have our own policies and needs, but I recommend you push the 'user authentication' (authorisation too) into a higher level such as the application/server and not try to do it at the network layer. This does not mean you cannot use user authentication to bootstrap host authentication. For example our mindset here at work is that the user is stating I am responsible for this MAC address during this session...they might also be authorised to register that workstation into a particular VLAN to create some workstation credentials. 'un-registered' (user bootstrapped) workstations go into VLAN 'users-unmanaged' whilst our equipment goes into 'users-staff'. Hope that makes sense...? :) Correct me if I'm wrong but then we have to administer a separate database for hosts ( and in our case users ) Now we have 2 auth-types en autz-type's. 1 connects with cn=x,dc=example,dc=com (VLANid x) 1 connects with cn=y,dc=example,dc=com (VLANid y) Depending on the realm the user indicates when logging in (user@realm), autheticates and puts the Tunnel-Private-Group-Id in the reply with the correct VLAN id. Well, you could just have users members of network groups instead (do *not* repurpose an existing group). I would suggest, if you have the time, create an enrollment page. Unknown MAC addresses (even with a valid *user* 802.1X session) are redirected to a webpage to register the machine into a network (typically only one, maybe your helpdesk members would be permitted to register the equipment into a number of groups). This does not mean that you use MAC-auth for that machine, but the enrollment session could generate workstation credentials (EAP-TLS) to use or you could still enforce that user 802.1X credentials (not necessarily the original registraters one) need to be used to gain access. This means you can permit users to register up to five devices for example. The problem: When using 'Login Window' based 802.1x. So when user puts in it's user/pass at the login window, it does it's 802.1x magic. But with user@realm, LDAP doesnt understands this ofcourse, so the @realm needs to be stripped when authenicating to LDAP. So: user@realm --- radius reads the realm, strips the @realm so LDAP understands, makes it's auth/autz-type. I hope you catch my drift. :) This is covered in the FreeRADIUS documentation (and numerous 'eduroam' examples, it looks like you are aiming for this type of thing). 'suffix' is what you want in your authorize section, you then pass to the ldap module 'Stripped-User-Name'. Cheers -- Alexander Clouter .sigmonster says: Massachusetts has the best politicians money can buy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Op 15 jul 2011, om 11:26 heeft Alexander Clouter het volgende geschreven: Serge van Namen svna...@snow.nl wrote: In our situation the user is bound to a VLAN, so on every workstation in the building the user authenticates and the switchport becomes a member of the correct VLAN. I *strongly* recommend not mixing host and user authentication, it's just too much of a brain explitive. What happens on a computer you can SSH, terminal services into...user or host authentication? Host authentication is already dealt with on a higher level. Unknown hosts already cannot join the network, ever. :) Sure you can generalise, but you might as well just ignore the problem altogether. Another example, user A walks in and authenticates themselves to the network and goes into VLAN x, that user then goes to lunch and evil user B starts to use the machine... Isn't that a problem of user awareness? That is possible in every situation if the user doesn't lock their screen. Or am I confused now? Obviously we all have our own policies and needs, but I recommend you push the 'user authentication' (authorisation too) into a higher level such as the application/server and not try to do it at the network layer. That is already dealt with, this Proof of Concept is just a network security extension, not a whole new implementation. This does not mean you cannot use user authentication to bootstrap host authentication. Exactly, the purpose is just for bootstrapping and to create 'flexible-workplaces' For example our mindset here at work is that the user is stating I am responsible for this MAC address during this session...they might also be authorised to register that workstation into a particular VLAN to ... create some workstation credentials. Don't quit understand this part. :) 'un-registered' (user bootstrapped) workstations go into VLAN 'users-unmanaged' whilst our equipment goes into 'users-staff'. Hope that makes sense...? :) Do you mean: unauthorized, user be put in default (jailed) vlan? Correct me if I'm wrong but then we have to administer a separate database for hosts ( and in our case users ) Now we have 2 auth-types en autz-type's. 1 connects with cn=x,dc=example,dc=com (VLANid x) 1 connects with cn=y,dc=example,dc=com (VLANid y) Depending on the realm the user indicates when logging in (user@realm), autheticates and puts the Tunnel-Private-Group-Id in the reply with the correct VLAN id. Well, you could just have users members of network groups instead (do *not* repurpose an existing group). I would suggest, if you have the time, create an enrollment page. Unknown MAC addresses (even with a valid *user* 802.1X session) are redirected to a webpage to register the machine into a network (typically only one, maybe your helpdesk members would be permitted to register the equipment into a number of groups). This does not mean that you use MAC-auth for that machine, but the enrollment session could generate workstation credentials (EAP-TLS) to use or you could still enforce that user 802.1X credentials (not necessarily the original registraters one) need to be used to gain access. We don't want to manage complex device lists, we just don't want unwanted hardware in our network. MAC address / device management is not in the scope of the Proof of Concept. :) Just: User A: VLAN X User B: VLAN Y User C: VLAN X etc. This means you can permit users to register up to five devices for example. The problem: When using 'Login Window' based 802.1x. So when user puts in it's user/pass at the login window, it does it's 802.1x magic. But with user@realm, LDAP doesnt understands this ofcourse, so the @realm needs to be stripped when authenicating to LDAP. So: user@realm --- radius reads the realm, strips the @realm so LDAP understands, makes it's auth/autz-type. I hope you catch my drift. :) This is covered in the FreeRADIUS documentation (and numerous 'eduroam' examples, it looks like you are aiming for this type of thing). 'suffix' is what you want in your authorize section, you then pass to the ldap module 'Stripped-User-Name'. Thanks! One of the things I was looking for. Cheers -- Alexander Clouter .sigmonster says: Massachusetts has the best politicians money can buy. Yours, Serge - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: General wiki rules
Arran Cudbard-Bell a.cudba...@freeradius.org wrote: Ok. I'm not saying these things to be an asshole. The point of moving to Gollum was that users would be able to contribute to the bundled documentation. The wiki now serves as a repository for server docs (or will do once we figure out subtrees), it just also happens to render those documents into HTML. If you were rewriting server documentation which you knew was going to be read in plaintext format, would you start adding random HTML markup? The point of RST is that while it I get that, and your efforts are much appreciated. My point was as Alex clarified - it's a pain to indent lines with space/tab in a browser text box. So much so that it will put me off contributing. There are loads of possible solutions - permit pre, convert it as per your suggestion, offer a button that uses javascript to indent the current selection... Personally I find the argument for plaintext docs weakens with every passing year; I routinely read the ISC bind ARM with links in a terminal. But if you're going to use plaintext, and to rule against certain plaintext markup forms, hit space a lot is not for me a compelling alternative :o) -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Juniper ERX and checkrad
It is my first time to setup Juniper ERX-1440 with freeradius. All my other NAS's are cisco. I was trying to setup checkrad to check for simultaneous connections and realized that juniper is not listed in nas type list. Can someone help me with getting chekrad to work with Juniper ERX? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, more broadly, setting Stripped-User-Name)
On 15 Jul 2011, at 02:51, Alan DeKok wrote:
Jacob Dawson wrote:
Further testing suggests that neither of the Perl or Realm modules is
applying the Stripped-User-Name in the right scope.
I have no idea what that means. The Stripped-User-Name isn't magic.
It's just an attribute. If it exists in the request list, you can refer
to it via %{Stripped-User-Name}
If it's magically disappearing, then it's because something in your
configuration is making it disappear. The default configuration works,
and doesn't do this.
In the case of the perl module, it was me doing the boneheaded thing of adding
it to RADREPLY and not RADREQUEST. Given that mistake corrected, and that I
got my unlang mangling of the request also functioning properly, I'm making
forward progress again. Thanks to the community for that.
As far as realms goes...I found my error. I commented out a small chunk of
code in rlm_realm.c that I don't think does quite the right thing, but on
further reading, I realize that, while it might not do what I think is quite
the right thing, it still does something important, and that's actually writing
attributes to the request.
Unfortunately, when you set nostrip in the config, it doesn't add a
Stripped-User-Name attribute to the request, but when you unset it, rlm_realms
adds a Stripped-User-Name attribute and also updates the User-Name attribute to
the same value. Since I need to perform some authorization checks on the
stripped user name, if I want to do this with realms, I need to unset nostrip,
but if I do that, it rewrites User-Name, and then the wrong username (the
stripped one) gets sent to my AD servers, which reject it. Consequently, I
don't think those three lines do quite the right thing, but I'm leery of
submitting a patch to change that, because it's a noticeable change to the
behavior.
Thanks for making me look it over again.
- Jacob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Serge van Namen svna...@snow.nl wrote: 'un-registered' (user bootstrapped) workstations go into VLAN 'users-unmanaged' whilst our equipment goes into 'users-staff'. Hope that makes sense...? :) Do you mean: unauthorized, user be put in default (jailed) vlan? I work for a university so we have a lot of equipment that we do not maintain but is owned by the students/staff that needs to connect. So, we have three main workstation VLANs: * unauthorised * users-unmanaged * users-staff Unknown MAC addresses go into 'unauthorised' which is a sandpit network which does nothing more than redirect the web browser to our 'unauthorised workstation' webpage[1]. There they are permitted to get to a few websites (microsoft.com, etc) and to the instructions/tools they need to configure their computer for 802.1X. When they are 802.1Xing, they get put into 'users-unmanaged' which gives them all the access they could want, and that I am willing to give them. One day, when I find the time, I will have a 'pre-registration' VLAN (or more likely dual-purpose 'unauthorised') for unrecognised MAC addresses that have gotten past 'unauthorised' by doing 802.1X with some user credentials. 'users-staff' is currently MAC-auth workstations that we maintain, the helpdesk would not love me if I forced them to configure each workstation for 802.1X (we are condemned with Novell and not AD...but apparently not for much longer). :) One day, to get into 'users-staff', you will need to do EAP-TLS, but for now it is just MAC-auth. There is no different level of access betwork 'users-staff' and 'users-unmanaged' here, we just wanted to keep equipment that we maintain and equipment we do not in different subnets. Mainly to keep the subnet's small :) Cheers [1] http://www.soas.ac.uk/itsupport/personal-equipment/unauthorised-workstation.html -- Alexander Clouter .sigmonster says: Where do you think you're going today? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, more broadly, setting Stripped-User-Name)
Jacob Dawson daw...@vt.edu wrote: Unfortunately, when you set nostrip in the config, it doesn't add a Stripped-User-Name attribute to the request, but when you unset it, rlm_realms adds a Stripped-User-Name attribute and also updates the User-Name attribute to the same value. I am 90% sure that's not what rlm_realm does. We use unlang to process realms now, but I am certain we used it with nostrip and it left the original User-Name intact and populated Stripped-User-Name. -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Op 15 jul 2011, om 14:34 heeft Alexander Clouter het volgende geschreven:
Serge van Namen svna...@snow.nl wrote:
'un-registered' (user bootstrapped) workstations go into VLAN
'users-unmanaged' whilst our equipment goes into 'users-staff'.
Hope that makes sense...? :)
Do you mean: unauthorized, user be put in default (jailed) vlan?
I work for a university so we have a lot of equipment that we do not
maintain but is owned by the students/staff that needs to connect. So,
we have three main workstation VLANs:
* unauthorised
* users-unmanaged
* users-staff
Unknown MAC addresses go into 'unauthorised' which is a sandpit network
which does nothing more than redirect the web browser to our
'unauthorised workstation' webpage[1]. There they are permitted to get
to a few websites (microsoft.com, etc) and to the instructions/tools
they need to configure their computer for 802.1X.
When they are 802.1Xing, they get put into 'users-unmanaged' which gives
them all the access they could want, and that I am willing to give them.
One day, when I find the time, I will have a 'pre-registration' VLAN (or
more likely dual-purpose 'unauthorised') for unrecognised MAC addresses
that have gotten past 'unauthorised' by doing 802.1X with some user
credentials.
'users-staff' is currently MAC-auth workstations that we maintain, the
helpdesk would not love me if I forced them to configure each
workstation for 802.1X (we are condemned with Novell and not AD...but
apparently not for much longer). :)
One day, to get into 'users-staff', you will need to do EAP-TLS, but for
now it is just MAC-auth.
There is no different level of access betwork 'users-staff' and
'users-unmanaged' here, we just wanted to keep equipment that we
maintain and equipment we do not in different subnets. Mainly to keep
the subnet's small :)
Clean solution. :)
I accomplished to strip the username, it authenticates successfully against
LDAP.
But eventually it fails on EAP I think, because the username isn't the original
from the request.
rlm_realm: Looking up realm Y for User-Name = userA@Y
rlm_realm: Found realm Y
rlm_realm: Adding Stripped-User-Name = userA
rlm_realm: Proxying request from user userA to realm Y
rlm_realm: Adding Realm = Y
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix returns noop for request 3
users: Matched entry DEFAULT at line 7
modcall[authorize]: module files returns ok for request 3
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
modcall[authorize]: module pap returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
Found Autz-Type LdapY
Processing the authorize section of radiusd.conf
modcall: entering group LdapYfor request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for userA
radius_xlat: '(uid=userA)'
radius_xlat: 'ou=y,ou=people,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=y,ou=people,dc=example,dc=com, with filter
(uid=userA)
rlm_ldap: Added password {SSHA}X in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password == {SSHA}X
rlm_ldap: looking for reply items in directory...
rlm_ldap: user userA authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module Y returns ok for request 3
modcall: leaving group LdapY (returns ok) for request 3
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module eap returns invalid for request 3
modcall: leaving group authenticate (returns invalid) for request 3
auth: Failed to validate the user.
Login incorrect: [userA] (from client radius port 16797697 cli 0017-f3f2-4572)
Delaying request 3 for 1 seconds
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 22 to 1.2.3.4 port 1024
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 22 with timestamp 4e203537
Nothing to do. Sleeping until we see a request.
Do I need to add the Suffix again to the reply?
Yours,
Serge
Cheers
[1]
http://www.soas.ac.uk/itsupport/personal-equipment/unauthorised-workstation.html
--
Alexander Clouter
.sigmonster says: Where do you think you're going today?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
Error with AD/freeradius config
OK, sorry as this is a long mail because Im going to include as much config
as possible.
I have been playing around trying to get this to work with little success
though the debug error messages have changed since yesterday
Im having trouble getting freeradius to use ntlm_auth - the error massage is
now stating a permission error..
Just to confirm, Im following the steps on deployingradius.com ..
PAP has been tested and is working
Samba configured and working
wbinfo -a = works, having tested multiple logins
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user
--password=password = working, again tested with multiple logins
radtest user password localhost 0 testing123 = does not work, see debug info
at end of email..
Contents of/raddb/modules/ntlm_auth file
#
# For testing ntlm_auth authentication with PAP.
#
# If you have problems with authentication failing, even when the
# password is good, it may be a bug in Samba:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
exec ntlm_auth {
wait = yes
program = /usr/local/etc/raddb/modules/ntlm_auth --request-nt-key
--domain=xx --username=%{mschap:User-Name}
--password=%{User-Password}
}
I have modified the authenticate sections of the raddb/sites-enabled/default
file, and of the raddb/sites-enabled/inner-tunnel file
Listed below are the authenticate sections only as that is all I have
changed
sites-enabled/default
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# ntlm authentication.
ntlm_auth
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# For normal crypt authentication, the pap module should
# be used instead of the unix module. The unix module should
# be used for authentication ONLY for compatibility with legacy
# FreeRADIUS configurations.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
#
# The older configurations sent a number of attributes in
# Access-Challenge packets, which wasn't strictly correct.
# If you want to filter out these attributes, uncomment
# the following lines.
#
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the updated code from
attr_filter
# }
# }
}
#
raddb/sites-enabled/inner-tunnel file - again just showing the bit
modified..
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# NTLM authentication.
ntlm_auth
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against
Re: Error with AD/freeradius config
On Jul 15, 2011, at 4:26 PM, Edge wrote: Exec-Program output: Exec-Program: FAILED to execute /usr/local/etc/raddb/modules/ntlm_auth: Permission denied Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /usr/local/etc/raddb/modules/ntlm_auth: Permission denied Helps to actually read the debug output you're posting ;) Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, ?more?broadly, setting Stripped-User-Name)
Phil Mayers p.may...@imperial.ac.uk wrote:
Unfortunately, when you set nostrip in the config, it doesn't add a
Stripped-User-Name attribute to the request, but when you unset it,
rlm_realms adds a Stripped-User-Name attribute and also updates the
User-Name attribute to the same value.
I am 90% sure that's not what rlm_realm does. We use unlang to process
realms now, but I am certain we used it with nostrip and it left the
original User-Name intact and populated Stripped-User-Name.
You are right, we use rlm_realm and it leaves User-Name unadulterated.
This sounds like maybe the *inner* auth User-Name is realmless and
making it's way out into outer.reply. When you use 'User-Name' in
post-auth{} you will get reply:User-Name rather than request:User-Name
if I remember correctly.
The fix is to *reject* inner-authentications that are realm-less.
Cheers
--
Alexander Clouter
.sigmonster says: You are the only person to ever get this message.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error with AD/freeradius config
Exec-Program output: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Your path to ntlm auth is wrong. You need to specify the path to the ntlm auth
bin/exe that comes with samba.
G
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Edge
Sent: Friday, July 15, 2011 9:27 AM
To: freeradius-users@lists.freeradius.org
Subject: Error with AD/freeradius config
OK, sorry as this is a long mail because Im going to include as much config
as possible.
I have been playing around trying to get this to work with little success
though the debug error messages have changed since yesterday
Im having trouble getting freeradius to use ntlm_auth - the error massage is
now stating a permission error..
Just to confirm, Im following the steps on deployingradius.com ..
PAP has been tested and is working
Samba configured and working
wbinfo -a = works, having tested multiple logins
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=user
--password=password = working, again tested with multiple logins
radtest user password localhost 0 testing123 = does not work, see debug info
at end of email..
Contents of/raddb/modules/ntlm_auth file
#
# For testing ntlm_auth authentication with PAP.
#
# If you have problems with authentication failing, even when the
# password is good, it may be a bug in Samba:
#
# https://bugzilla.samba.org/show_bug.cgi?id=6563
#
exec ntlm_auth {
wait = yes
program = /usr/local/etc/raddb/modules/ntlm_auth --request-nt-key
--domain=xx --username=%{mschap:User-Name}
--password=%{User-Password}
}
I have modified the authenticate sections of the raddb/sites-enabled/default
file, and of the raddb/sites-enabled/inner-tunnel file
Listed below are the authenticate sections only as that is all I have
changed
sites-enabled/default
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
# ntlm authentication.
ntlm_auth
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authorize' section.
digest
#
# Pluggable Authentication Modules.
# pam
#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# For normal crypt authentication, the pap module should
# be used instead of the unix module. The unix module should
# be used for authentication ONLY for compatibility with legacy
# FreeRADIUS configurations.
#
unix
# Uncomment it if you want to use ldap for authentication
#
# Note that this means check plain-text password against
# the ldap database, which means that EAP won't work,
# as it does not supply a plain-text password.
# Auth-Type LDAP {
# ldap
# }
#
# Allow EAP authentication.
eap
#
# The older configurations sent a number of attributes in
# Access-Challenge packets, which wasn't strictly correct.
# If you want to filter out these attributes, uncomment
# the following lines.
#
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled (Response-Packet-Type == Access-Challenge)) {
# attr_filter.access_challenge.post-auth
# handled # override the updated code from
attr_filter
# }
# }
}
#
raddb/sites-enabled/inner-tunnel file - again just showing the bit
modified..
#
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type PAP {
pap
}
#
# Most people want CHAP authentication
#
Re: Error with AD/freeradius config
Hi
Arran, I did read the debug messages, I just didn't understand what they
were telling me, I couldn't understand why it had failed to execute as the
file was there, I was root and I even tried using an admin account - just in
case..
Gary has given me a clue so off I go hunting..
Thanks Guys and have a good weekend
-Original Message-
From: freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org
[mailto:freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org]
On Behalf Of freeradius-users-requ...@lists.freeradius.org
Sent: 15 July 2011 16:17
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 75, Issue 58
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than
Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: Error with AD/freeradius config (Arran Cudbard-Bell)
2. Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and,
?more?broadly, setting Stripped-User-Name) (Alexander Clouter)
3. RE: Error with AD/freeradius config (Gary Gatten)
--
Message: 1
Date: Fri, 15 Jul 2011 16:31:34 +0200
From: Arran Cudbard-Bell a.cudba...@freeradius.org
Subject: Re: Error with AD/freeradius config
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 7df14eea-3164-48bd-996b-8edc42c59...@freeradius.org
Content-Type: text/plain; charset=us-ascii
On Jul 15, 2011, at 4:26 PM, Edge wrote:
Exec-Program output: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Helps to actually read the debug output you're posting ;)
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
--
Message: 2
Date: Fri, 15 Jul 2011 15:49:34 +0100
From: Alexander Clouter a...@digriz.org.uk
Subject: Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and,
?more?broadly, setting Stripped-User-Name)
To: freeradius-users@lists.freeradius.org
Message-ID: uk06f8-ku7@chipmunk.wormnet.eu
Phil Mayers p.may...@imperial.ac.uk wrote:
Unfortunately, when you set nostrip in the config, it doesn't add a
Stripped-User-Name attribute to the request, but when you unset it,
rlm_realms adds a Stripped-User-Name attribute and also updates the
User-Name attribute to the same value.
I am 90% sure that's not what rlm_realm does. We use unlang to process
realms now, but I am certain we used it with nostrip and it left the
original User-Name intact and populated Stripped-User-Name.
You are right, we use rlm_realm and it leaves User-Name unadulterated.
This sounds like maybe the *inner* auth User-Name is realmless and
making it's way out into outer.reply. When you use 'User-Name' in
post-auth{} you will get reply:User-Name rather than request:User-Name
if I remember correctly.
The fix is to *reject* inner-authentications that are realm-less.
Cheers
--
Alexander Clouter
.sigmonster says: You are the only person to ever get this message.
--
Message: 3
Date: Fri, 15 Jul 2011 10:16:48 -0500
From: Gary Gatten ggat...@waddell.com
Subject: RE: Error with AD/freeradius config
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID:
30615_1310743009_4E2059E1_30615_115_1_D9B37353831173459FDAA836D3B43499C5218
6...@wadpmbxv0.waddell.com
Content-Type: text/plain; charset=us-ascii
Exec-Program output: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Your path to ntlm auth is wrong. You need to specify the path to the ntlm
auth bin/exe that comes with samba.
G
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org]
On Behalf Of Edge
Sent: Friday, July 15, 2011 9:27 AM
To: freeradius-users@lists.freeradius.org
Subject: Error with AD/freeradius config
OK, sorry as this is a long mail because Im going to include as much config
as possible.
I have been playing around trying to get this to work with little success
though the debug error messages have changed since yesterday
Im having trouble getting freeradius
RE: Error with AD/freeradius config
If I may interject... if Gary's hint does not pan out I would suggest also
checking that the ntlm_auth binary is accessible to the FR daemon, I had an
issue on my box that the file permissions were correct but one of the
directories in the path was denying me access. So not only does the file need
the correct permissions but every directory in the path does too. That one was
a bugger to pin down the first time I came against it : )
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
-Original Message-
From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org
[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On
Behalf Of Edge
Sent: Friday, July 15, 2011 10:42 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Error with AD/freeradius config
Hi
Arran, I did read the debug messages, I just didn't understand what they were
telling me, I couldn't understand why it had failed to execute as the file was
there, I was root and I even tried using an admin account - just in case..
Gary has given me a clue so off I go hunting..
Thanks Guys and have a good weekend
-Original Message-
From: freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org
[mailto:freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org]
On Behalf Of freeradius-users-requ...@lists.freeradius.org
Sent: 15 July 2011 16:17
To: freeradius-users@lists.freeradius.org
Subject: Freeradius-Users Digest, Vol 75, Issue 58
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-requ...@lists.freeradius.org
You can reach the person managing the list at
freeradius-users-ow...@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than
Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: Error with AD/freeradius config (Arran Cudbard-Bell)
2. Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and,
?more?broadly, setting Stripped-User-Name) (Alexander Clouter)
3. RE: Error with AD/freeradius config (Gary Gatten)
--
Message: 1
Date: Fri, 15 Jul 2011 16:31:34 +0200
From: Arran Cudbard-Bell a.cudba...@freeradius.org
Subject: Re: Error with AD/freeradius config
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 7df14eea-3164-48bd-996b-8edc42c59...@freeradius.org
Content-Type: text/plain; charset=us-ascii
On Jul 15, 2011, at 4:26 PM, Edge wrote:
Exec-Program output: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Helps to actually read the debug output you're posting ;)
Arran Cudbard-Bell
a.cudba...@freeradius.org
RADIUS - Half the complexity of Diameter
--
Message: 2
Date: Fri, 15 Jul 2011 15:49:34 +0100
From: Alexander Clouter a...@digriz.org.uk
Subject: Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and,
?more?broadly, setting Stripped-User-Name)
To: freeradius-users@lists.freeradius.org
Message-ID: uk06f8-ku7@chipmunk.wormnet.eu
Phil Mayers p.may...@imperial.ac.uk wrote:
Unfortunately, when you set nostrip in the config, it doesn't add a
Stripped-User-Name attribute to the request, but when you unset it,
rlm_realms adds a Stripped-User-Name attribute and also updates the
User-Name attribute to the same value.
I am 90% sure that's not what rlm_realm does. We use unlang to process
realms now, but I am certain we used it with nostrip and it left the
original User-Name intact and populated Stripped-User-Name.
You are right, we use rlm_realm and it leaves User-Name unadulterated.
This sounds like maybe the *inner* auth User-Name is realmless and making it's
way out into outer.reply. When you use 'User-Name' in post-auth{} you will get
reply:User-Name rather than request:User-Name if I remember correctly.
The fix is to *reject* inner-authentications that are realm-less.
Cheers
--
Alexander Clouter
.sigmonster says: You are the only person to ever get this message.
--
Message: 3
Date: Fri, 15 Jul 2011 10:16:48 -0500
From: Gary Gatten ggat...@waddell.com
Subject: RE: Error with AD/freeradius config
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID:
30615_1310743009_4E2059E1_30615_115_1_D9B37353831173459FDAA836D3B43499C5218
6...@wadpmbxv0.waddell.com
Content-Type: text/plain; charset=us-ascii
RE: Error with AD/freeradius config
I can't guarantee the syntax of the ntlm_auth command is correct for OP's particular environment, but I will guarantee you must specify the correct path to the Samba ntlm_auth binary. As for perms, I agree they can be tricky. If I run into issues I typically start running stuff as root. Not fail safe, but does uncover perms issues pretty quick. G -Original Message- From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On Behalf Of Sallee, Stephen (Jake) Sent: Friday, July 15, 2011 10:53 AM To: FreeRadius users mailing list Subject: RE: Error with AD/freeradius config If I may interject... if Gary's hint does not pan out I would suggest also checking that the ntlm_auth binary is accessible to the FR daemon, I had an issue on my box that the file permissions were correct but one of the directories in the path was denying me access. So not only does the file need the correct permissions but every directory in the path does too. That one was a bugger to pin down the first time I came against it : ) Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org] On Behalf Of Edge Sent: Friday, July 15, 2011 10:42 AM To: freeradius-users@lists.freeradius.org Subject: Re: Error with AD/freeradius config Hi Arran, I did read the debug messages, I just didn't understand what they were telling me, I couldn't understand why it had failed to execute as the file was there, I was root and I even tried using an admin account - just in case.. Gary has given me a clue so off I go hunting.. Thanks Guys and have a good weekend -Original Message- From: freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org [mailto:freeradius-users-bounces+edgedemon=hotmail@lists.freeradius.org] On Behalf Of freeradius-users-requ...@lists.freeradius.org Sent: 15 July 2011 16:17 To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 75, Issue 58 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-requ...@lists.freeradius.org You can reach the person managing the list at freeradius-users-ow...@lists.freeradius.org When replying, please edit your Subject line so it is more specific than Re: Contents of Freeradius-Users digest... Today's Topics: 1. Re: Error with AD/freeradius config (Arran Cudbard-Bell) 2. Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, ?more?broadly, setting Stripped-User-Name) (Alexander Clouter) 3. RE: Error with AD/freeradius config (Gary Gatten) -- Message: 1 Date: Fri, 15 Jul 2011 16:31:34 +0200 From: Arran Cudbard-Bell a.cudba...@freeradius.org Subject: Re: Error with AD/freeradius config To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 7df14eea-3164-48bd-996b-8edc42c59...@freeradius.org Content-Type: text/plain; charset=us-ascii On Jul 15, 2011, at 4:26 PM, Edge wrote: Exec-Program output: Exec-Program: FAILED to execute /usr/local/etc/raddb/modules/ntlm_auth: Permission denied Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute /usr/local/etc/raddb/modules/ntlm_auth: Permission denied Helps to actually read the debug output you're posting ;) Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter -- Message: 2 Date: Fri, 15 Jul 2011 15:49:34 +0100 From: Alexander Clouter a...@digriz.org.uk Subject: Re: Stripped-User-Name Problems (Re: Unmatched ( or \(, and, ?more?broadly, setting Stripped-User-Name) To: freeradius-users@lists.freeradius.org Message-ID: uk06f8-ku7@chipmunk.wormnet.eu Phil Mayers p.may...@imperial.ac.uk wrote: Unfortunately, when you set nostrip in the config, it doesn't add a Stripped-User-Name attribute to the request, but when you unset it, rlm_realms adds a Stripped-User-Name attribute and also updates the User-Name attribute to the same value. I am 90% sure that's not what rlm_realm does. We use unlang to process realms now, but I am certain we used it with nostrip and it left the original User-Name intact and populated Stripped-User-Name. You are right, we use rlm_realm and it leaves User-Name unadulterated. This sounds like maybe the *inner* auth User-Name is realmless and making it's way out into outer.reply. When you use 'User-Name' in
Re: Juniper ERX and checkrad
cat /usr/share/freeradius/dictionary.juniper Best regards, Fred MAISON 2011/7/15, Igor Smitran si...@blic.net: It is my first time to setup Juniper ERX-1440 with freeradius. All my other NAS's are cisco. I was trying to setup checkrad to check for simultaneous connections and realized that juniper is not listed in nas type list. Can someone help me with getting chekrad to work with Juniper ERX? Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan ldap radiusd
Serge van Namen svna...@snow.nl wrote: I accomplished to strip the username, it authenticates successfully against LDAP. But eventually it fails on EAP I think, because the username isn't the original from the request. [snipped] users: Matched entry DEFAULT at line 7 modcall[authorize]: module files returns ok for request 3 What does this do? You must not change User-Name at all...I suspect somewhere in your configuration you are doing so to try to fix another problem. If you want the User-Name to be realmless then use Stripped-User-Name or use unlang to populate something like Tmp-String-0. rlm_ldap: - authorize rlm_ldap: performing user authorization for userA radius_xlat: '(uid=userA)' radius_xlat: 'ou=y,ou=people,dc=example,dc=com' What are you xlat'ing? Can we see your configuration? Are you using ldap xlat to set User-Name? If so, don't! Cheers -- Alexander Clouter .sigmonster says: fortune: not found - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
