Re: Quota based on time with squid
On Fri, Oct 21, 2011 at 9:07 PM, Alan DeKok wrote: > > > I need to assign quota to squid users based on the weekly/hourly > > basis. I need users radius server to return packet reject when time is > > expired. is it possible in radius? > > Yes. See the "counter" module, or the "sqlcounter" module. > > The main issue is that they require the NAS to send accounting > packets. I don't know if squid does that. > > Yes it does. There are many configuration examples available on the net. Kind regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
On Fri, Oct 21, 2011 at 9:28 PM, andreapepa wrote: > obviously, Phil... > my questions , not well explained, was about upgrading the package. > > i can be sure that with this procedure i will have freeradius upgrade or two > version of FR installed ? If you install a new version from source using simple ./configure && make && make install, you'll most likely end up with two version of FR, with the new one in /usr/local/ If you upgrade it it with a package (either created yourself, or use someone else's), you have only one FR fersion. To build your own package: http://wiki.freeradius.org/Build#Building+Debian+packages . Judging from your question, this is the best option for you. If you're feeling lazy and know how to use Ubuntu's packages on debian, try my unofficial ppa on https://launchpad.net/~freeradius/+archive/stable. One of them (natty or lucid version) should work for you. > > maybe this is another basic question.. but are you sure that i will get no > problem with any dependencies? If you use package they will tell you if you have dependency problem, and (on most cases) can automatically install the dependency. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error after updating cert
On 21/10/2011 22:31, Eric Geier wrote: Thanks for the reply! Yes, the clients are set with correct time/date. That command didn't work. Did you mean openssl verify command? I ran that and both the old cert (still valid for a few days) and the new cert (already valid) shows correct domain but then says: 2) do: openssl -in /path/to/your/raddb/server-cert.pem -noout -text and verify the properties of the cert you have. I forgot the x509, it should have been: openssl x509 -in /path/to/your/raddb/server-cert.pem -noout -text -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error after updating cert
Thanks for the reply! Yes, the clients are set with correct time/date. That command didn't work. Did you mean openssl verify command? I ran that and both the old cert (still valid for a few days) and the new cert (already valid) shows correct domain but then says: error 20 at 0 depth lookup:unable to get local issuer certificate This may not be the problem since I get it with both old and new certs. Any other ideas? On Fri Oct 21 14:56:33 CDT 2011, James J J Hooper wrote: > On 21/10/2011 20:44, Eric Geier wrote: >> Hi, I?m trying to update my server?s cert, but getting errors >> after applying it: >> >> Fri Oct 21 12:26:45 2011 : Error: TLS Alert >> read:fatal:certificate >> expired >> Fri Oct 21 12:26:45 2011 : Error: TLS_accept:failed in SSLv3 >> read client certificate A >> Fri Oct 21 12:26:45 2011 : Error: rlm_eap: SSL error >> error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert >> certificate expired >> Fri Oct 21 12:26:45 2011 : Error: rlm_eap_tls: SSL_read failed >> inside of TLS (-1), TLS session fails. >> >> Says expired but I?m using the new cert, which is a renewal from >> a >> third-party CA and using the same private key. I apply it by >> inserting the text of the .crt file into the server-cert.pem file >> in the certs folder. I think that?s all I have to do and restart >> freeradius? >> > > 1) Check the date on the client system is correct > > 2) do: > openssl -in /path/to/your/raddb/server-cert.pem -noout -text > and verify the properties of the cert you have. > > -James > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSL error after updating cert
On 21/10/2011 20:44, Eric Geier wrote: Hi, I’m trying to update my server’s cert, but getting errors after applying it: Fri Oct 21 12:26:45 2011 : Error: TLS Alert read:fatal:certificate expired Fri Oct 21 12:26:45 2011 : Error: TLS_accept:failed in SSLv3 read client certificate A Fri Oct 21 12:26:45 2011 : Error: rlm_eap: SSL error error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired Fri Oct 21 12:26:45 2011 : Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. Says expired but I’m using the new cert, which is a renewal from a third-party CA and using the same private key. I apply it by inserting the text of the .crt file into the server-cert.pem file in the certs folder. I think that’s all I have to do and restart freeradius? 1) Check the date on the client system is correct 2) do: openssl -in /path/to/your/raddb/server-cert.pem -noout -text and verify the properties of the cert you have. -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSL error after updating cert
Hi, Im trying to update my servers cert, but getting errors after applying it: Fri Oct 21 12:26:45 2011 : Error: TLS Alert read:fatal:certificate expired Fri Oct 21 12:26:45 2011 : Error: TLS_accept:failed in SSLv3 read client certificate A Fri Oct 21 12:26:45 2011 : Error: rlm_eap: SSL error error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired Fri Oct 21 12:26:45 2011 : Error: rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails. Says expired but Im using the new cert, which is a renewal from a third-party CA and using the same private key. I apply it by inserting the text of the .crt file into the server-cert.pem file in the certs folder. I think thats all I have to do and restart freeradius? Any ideas? Thanks for your help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow EAP-TLS based authentications only
Panagiotis Georgopoulos wrote: > Perhaps I wasn't very clear. I want to allow any TLS *based* authentications > to occur, that is, any authentication that establishes a TLS tunnel and > passes its credentials over it. > > If I am right, TTLS and PEAP belong to this category, thus I need them! So, > if I configure only EAP-TLS, TTLS and PEAP in eap.conf, I should be ok, > right? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quota based on time with squid
senthil kumar wrote: > I have installed free-radius in linux machine with accounting support > and was able to authenticate using radtest client.and also I was also > successfully authenticate with squid proxy server. That's good to hear. > I need to assign quota to squid users based on the weekly/hourly > basis. I need users radius server to return packet reject when time is > expired. is it possible in radius? Yes. See the "counter" module, or the "sqlcounter" module. The main issue is that they require the NAS to send accounting packets. I don't know if squid does that. > I am using only linux machine with proxy server. whether NAS is needed? In this case, squid is the NAS. (i.e. machine sending Access-Request) > If so, can anyone help me in framing the rules for quota . eg 2 hours > a day. I have basic configuration and now when a user authenticates > login time is updated in the radpostauth. This is documented in the sqlcounter module. Look there first. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + SAMBA PDC + LDAP
Am 21.10.2011 18:28, schrieb Phil Mayers: On 21/10/11 17:03, Andreas Rudat wrote: Hi, I'm using samba as pdc and ldap as user database. That all works fine. Now I want to use the ldap database for user auth. for radius. But when I'm looking here http://deployingradius.com/documents/configuration/active_directory.html and some other sources, I read everywhere the same. "Konfiguration of Kerberos" but why? I think it should also with ntlm only? And does this paper is the correct for me? Caus if I understand it correctly in that scenario they are using a MS AD? If you are using a Samba PDC with LDAP storage, you should be able to make FreeRADIUS extract the ntPassword LDAP attribute, and you will not need to interact with Samba at all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ok, thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Quota based on time with squid
Hello Team, I am a newbie to radius server. I have installed free-radius in linux machine with accounting support and was able to authenticate using radtest client.and also I was also successfully authenticate with squid proxy server. I need to assign quota to squid users based on the weekly/hourly basis. I need users radius server to return packet reject when time is expired. is it possible in radius? I am using only linux machine with proxy server. whether NAS is needed? If so, can anyone help me in framing the rules for quota . eg 2 hours a day. I have basic configuration and now when a user authenticates login time is updated in the radpostauth. Thanks, Senthil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Allow EAP-TLS based authentications only
> Panagiotis Georgopoulos wrote: > > Am I right in thinking that if I leave enabled only the EAP-TLS, the > > EAP-TTLS and PEAP parts in my eap.conf file, I would basically achieve > > what I want? In order words, essentially disable md5, leap, gtc, > > mschapv2 in the eap.conf. > > To allow only EAP-TLS, simply delete every *other* subsection from the > eap configuration. You don't need TTLS, and you don't need PEAP. Perhaps I wasn't very clear. I want to allow any TLS *based* authentications to occur, that is, any authentication that establishes a TLS tunnel and passes its credentials over it. If I am right, TTLS and PEAP belong to this category, thus I need them! So, if I configure only EAP-TLS, TTLS and PEAP in eap.conf, I should be ok, right? Cheers, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius + SAMBA PDC + LDAP
On 21/10/11 17:03, Andreas Rudat wrote: Hi, I'm using samba as pdc and ldap as user database. That all works fine. Now I want to use the ldap database for user auth. for radius. But when I'm looking here http://deployingradius.com/documents/configuration/active_directory.html and some other sources, I read everywhere the same. "Konfiguration of Kerberos" but why? I think it should also with ntlm only? And does this paper is the correct for me? Caus if I understand it correctly in that scenario they are using a MS AD? If you are using a Samba PDC with LDAP storage, you should be able to make FreeRADIUS extract the ntPassword LDAP attribute, and you will not need to interact with Samba at all. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius + SAMBA PDC + LDAP
Hi, I'm using samba as pdc and ldap as user database. That all works fine. Now I want to use the ldap database for user auth. for radius. But when I'm looking here http://deployingradius.com/documents/configuration/active_directory.html and some other sources, I read everywhere the same. "Konfiguration of Kerberos" but why? I think it should also with ntlm only? And does this paper is the correct for me? Caus if I understand it correctly in that scenario they are using a MS AD? Thanks Andreas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow EAP-TLS based authentications only
Panagiotis Georgopoulos wrote: > Am I right in thinking that if I leave enabled only the EAP-TLS, the > EAP-TTLS and PEAP parts in my eap.conf file, I would basically achieve > what I want? In order words, essentially disable md5, leap, gtc, > mschapv2 in the eap.conf. To allow only EAP-TLS, simply delete every *other* subsection from the eap configuration. You don't need TTLS, and you don't need PEAP. > There should not be any need for me to touch the inner-tunnel or > inner-eap, right? You do not need to touch inner-tunnel. I don't know what "inner-eap" is. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
andreapepa wrote: > i can be sure that with this procedure i will have freeradius upgrade or two > version of FR installed ? You will have only the new version installed. > maybe this is another basic question.. but are you sure that i will get no > problem with any dependencies? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
obviously, Phil... my questions , not well explained, was about upgrading the package. i can be sure that with this procedure i will have freeradius upgrade or two version of FR installed ? maybe this is another basic question.. but are you sure that i will get no problem with any dependencies? Thanks a lot -- View this message in context: http://freeradius.1045715.n5.nabble.com/Assert-Failed-on-Proxing-tp4924319p4924856.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Allow EAP-TLS based authentications only
Hello all, I want to get my FR configuration to allow only EAP-TLS based authentications. Am I right in thinking that if I leave enabled only the EAP-TLS, the EAP-TTLS and PEAP parts in my eap.conf file, I would basically achieve what I want? In order words, essentially disable md5, leap, gtc, mschapv2 in the eap.conf. There should not be any need for me to touch the inner-tunnel or inner-eap, right? Thanks a lot, Panos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with radrelay
tonimanel wrote: > I guess that it's normal but I would like to know it. I have configured two > servers with robust-proxy-accounting model. My doubt is, when radiusA server > writes a record into database, writes Its current time and then sends > accounting packet to radiusB server (proxying). RadiusB server receives the > packet and writes the record into database but with different time > (obviously Its current time) (a few seconds of difference). This is correct? Possibly. More recent versions of the server update the Event-Timestamp && Acct-Delay-Time attributes. They keep track of the time when it was written to the detail file, versus when it was sent to the other server. The other server then uses those attributes to track when the session really started. > So, if I want to have the same data between radiusA and radiusB, must I to > use copy-acct-to-home configuration model to get it? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
On 21/10/11 13:33, andreapepa wrote: http://packages.debian.org/search?keywords=freeradius in this link i can't find any version to upgrade from 2.1.10, can you teel me how to upgrade to 2.1.12? Install the compiler and development libraries Download the source unpack it ./configure make make install This is basic Unix questions, not FreeRADIUS-specific. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
andreapepa wrote: > http://packages.debian.org/search?keywords=freeradius > > in this link i can't find any version to upgrade from 2.1.10, can you teel > me how to upgrade to 2.1.12? http://wiki.freeradius.org/ It has instructions for building Debian packages. Build a package for 2.1.12, and install it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with radrelay
Hi everybody. I guess that it's normal but I would like to know it. I have configured two servers with robust-proxy-accounting model. My doubt is, when radiusA server writes a record into database, writes Its current time and then sends accounting packet to radiusB server (proxying). RadiusB server receives the packet and writes the record into database but with different time (obviously Its current time) (a few seconds of difference). This is correct? I thnik that yes... So, if I want to have the same data between radiusA and radiusB, must I to use copy-acct-to-home configuration model to get it? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Problems-with-radrelay-tp4918721p4924613.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
http://packages.debian.org/search?keywords=freeradius in this link i can't find any version to upgrade from 2.1.10, can you teel me how to upgrade to 2.1.12? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/Assert-Failed-on-Proxing-tp4924319p4924574.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
http://wiki.freeradius.org/Debian can i go for it? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Assert-Failed-on-Proxing-tp4924319p4924551.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
ii freeradius 2.1.10+dfsg-2a high-performance and highly configurable RADIUS server ii freeradius-common2.1.10+dfsg-2FreeRADIUS common files ii freeradius-postgresql2.1.10+dfsg-2PostgreSQL module for FreeRADIUS server ii freeradius-utils 2.1.10+dfsg-2FreeRADIUS client utilities these are the packages installed on a debian 6 by apt-get -- View this message in context: http://freeradius.1045715.n5.nabble.com/Assert-Failed-on-Proxing-tp4924319p4924546.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
andreapepa wrote: > As you can see from the attached log, i was tring to do some proxy test, > the server crashed attempting to proxy against a not running freeradius > proxy ( i was only testing proxy action not authentication on other FR > servers) is it normal? Upgrade. This was fixed many months ago. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assert Failed on Proxing
On 21/10/11 11:10, andreapepa wrote: Hi all, As you can see from the attached log, i was tring to do some proxy test, the server crashed attempting to proxy against a not running freeradius proxy ( i was only testing proxy action not authentication on other FR servers) is it normal? Which version are you running? Similar bugs were fixed in older versions. If you're not already, upgrade to 2.1.12 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assert Failed on Proxing
Hi all,
As you can see from the attached log, i was tring to do some proxy test,
the server crashed attempting to proxy against a not running freeradius
proxy ( i was only testing proxy action not authentication on other FR
servers) is it normal?
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.25.18.123 port 39869, id=98,
length=215
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "40:61:86:9C:6D:F9"
Called-Station-Id = "hotspot1"
NAS-Port-Id = "wlan1"
User-Name = "ap...@newradius.it"
NAS-Port = 2150629460
Acct-Session-Id = "80300054"
Framed-IP-Address = 10.29.66.3
Vendor-14988-Attr-10 = 0x0a1d4203
CHAP-Challenge = 0xb68620a7e997208ee43593bf739602b6
CHAP-Password = 0x563096c0c85e3e1b1bec92d585dc44496b
Service-Type = Login-User
WISPr-Logoff-URL = "http://10.29.66.1/logout";
NAS-Identifier = "AP Test Vincenzo"
NAS-IP-Address = 172.25.18.123
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++- entering policy auth_by_SSID {...}
+++? if (Called-Station-Id != /:WiNET-TR5G/ && User-Name =~ /cpe/ )
? Evaluating (Called-Station-Id != /:WiNET-TR5G/ ) -> TRUE
? Evaluating (User-Name =~ /cpe/) -> FALSE
+++? if (Called-Station-Id != /:WiNET-TR5G/ && User-Name =~ /cpe/ ) -> FALSE
++- policy auth_by_SSID returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/172.25.18.123/auth-detail-20111021
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/172.25.18.123/auth-detail-20111021
[auth_log] expand: %t -> Fri Oct 21 11:57:05 2011
++[auth_log] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "newradius.it" for User-Name =
"ap...@newradius.it"
[suffix] Found realm "newradius.it"
[suffix] Adding Stripped-User-Name = "apepa"
[suffix] Adding Realm = "newradius.it"
[suffix] Proxying request from user apepa to realm newradius.it
[suffix] Preparing to proxy authentication request to realm "newradius.it"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql] expand: %{Stripped-User-Name} -> apepa
[sql] expand: %{%{Stripped-User-Name}:-%{%{User-Name}:-none}} -> apepa
[sql] sql_set_user escaped user --> 'apepa'
rlm_sql (sql): Reserving sql socket id: 43
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName,
Attribute, Value, Op FROM radcheck WHERE Username = 'apepa' ORDER BY
id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM
radcheck WHERE Username = 'apepa' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] User found in radcheck table
[sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName,
Attribute, Value, Op FROM radreply WHERE Username = 'apepa' ORDER BY
id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM
radreply WHERE Username = 'apepa' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql] expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE UserName='apepa' ORDER BY priority
rlm_sql_postgresql: query: SELECT GroupName FROM radusergroup WHERE
UserName='apepa' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 1
[sql] expand: SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = '%{Sql-Group}' ORDER BY id -> SELECT id,
GroupName, Attribute, Value, op FROM radgroupcheck WHERE GroupName =
'TNNET' ORDER BY id
rlm_sql_postgresql: query: SELECT id, GroupName, Attribute, Value, op FROM
radgroupcheck WHERE GroupName = 'TNNET' ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 1 , fields = 5
[sql] User found in group TNNET
[sql]
Re: Configuring FreeRADIUS to authenticate against AD
On 21/10/11 10:27, Martin Ubank wrote: Thanks Fajar. 'campus.ads.uwe.ac.uk' is a DNS alias to 6 AD servers and had been working previously. I'm amazed. It shouldn't. If you have a properly setup AD environment, just let the DNS-based autodiscovery work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to authenticate against AD
Thanks Fajar. 'campus.ads.uwe.ac.uk' is a DNS alias to 6 AD servers and had been working previously. I changed /etc/krb5.conf & /etc/samba/smb.conf to point to 1 of the 6 AD servers and 'net join ...' & 'wbinfo -a ...' now work. The commands also work with 2 other AD servers. Why the DNS alias has stopped working is an issue to investigate later. I will continue the FreeRadius deployment using a single AD server. Thanks again for your help. Martin. -Original Message- From: freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org] On Behalf Of Fajar A. Nugraha Sent: 21 October 2011 09:25 To: FreeRadius users mailing list Subject: Re: Configuring FreeRADIUS to authenticate against AD On Fri, Oct 21, 2011 at 3:10 PM, Martin Ubank wrote: > I've been following the FreeRadius Deployment guide > http://deployingradius.com/documents/configuration/active_directory.html > I've edited /etc/krb5.conf, as follows: > kdc = campus.ads.uwe.ac.uk does this server exists and reachable? > I've also edited /etc/samba/smb.conf (comments & blank lines excluded): > realm = campus.ads.uwe.ac.uk > password server = campus.ads.uwe.ac.uk those two usually aren't the same. Are you sure you're using the correct information? Does the server exists and reachable? > I then run 'net join -U USERNAME' and get: > > > > Unable to find a suitable server for domain CAMPUS > > Unable to find a suitable server for domain CAMPUS Basically you'd need to get samba to correctly join the domain. Don't bother going further until this works. samba user list/forum might be able to provide more help. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to authenticate against AD
On Fri, Oct 21, 2011 at 3:10 PM, Martin Ubank wrote: > I've been following the FreeRadius Deployment guide > http://deployingradius.com/documents/configuration/active_directory.html > I've edited /etc/krb5.conf, as follows: > kdc = campus.ads.uwe.ac.uk does this server exists and reachable? > I've also edited /etc/samba/smb.conf (comments & blank lines excluded): > realm = campus.ads.uwe.ac.uk > password server = campus.ads.uwe.ac.uk those two usually aren't the same. Are you sure you're using the correct information? Does the server exists and reachable? > I then run 'net join -U USERNAME' and get: > > > > Unable to find a suitable server for domain CAMPUS > > Unable to find a suitable server for domain CAMPUS Basically you'd need to get samba to correctly join the domain. Don't bother going further until this works. samba user list/forum might be able to provide more help. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Configuring FreeRADIUS to authenticate against AD
I've been following the FreeRadius Deployment guide
http://deployingradius.com/documents/configuration/active_directory.html
The following software is installed on a Centos 6 VM:
- Samba 3.5.6, Freeradius 2.1.10, wpa_supplicant-0.7.3, gcc v4.4.4-13,
openssl, winbind.
I successfully performed basic configuration tests with the 'eapol_test'
command for:
- PAP, EAP, EAP-TLS, EAP-TTLS, EAP-MD5 & EAP-MSCHAPv5.
I've created production certificates & successfully tested for the above
protocols.
Installed Kerberos 1.8.2 & tested that successfully.
I've edited /etc/krb5.conf, as follows:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = CAMPUS.ADS.UWE.AC.UK
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
CAMPUS.ADS.UWE.AC.UK = {
kdc = campus.ads.uwe.ac.uk
admin_server = radius.uwe.ac.uk
default_domain = CAMPUS.ADS.UWE.AC.UK
}
[domain_realm]
.campus.ads.uwe.ac.uk = CAMPUS.ADS.UWE.AC.UK
campus.ads.uwe.ac.uk = CAMPUS.ADS.UWE.AC.UK
I've also edited /etc/samba/smb.conf (comments & blank lines excluded):
[global]
workgroup = CAMPUS
server string = Samba Server Version %v
log file = /var/log/samba/log.%m
max log size = 50
security = ads
passdb backend = tdbsam
realm = campus.ads.uwe.ac.uk
password server = campus.ads.uwe.ac.uk
load printers = yes
cups options = raw
winbind separator = +
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/rbash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
I then run 'net join -U USERNAME' and get:
Unable to find a suitable server for domain CAMPUS
Unable to find a suitable server for domain CAMPUS
Running 'wbinfo -a USERNAME%PASSWORD' returns:
plaintext password authentication failed
Could not authenticate user USERNAME%PASSWORD with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e)
error messsage was: No logon servers
Could not authenticate user USERNAME with challenge/response
Can anyone tell me what I've done wrong?
Thanks
Martin.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
