Re: Adding domain names to user logins
On Fri, June 22, 2012 21:24, Alan DeKok wrote: > Kriston wrote: >> Well, when I run it, it says it doesn't recognize the atdomain module, >> which >> makes sense to me since I don't see one in the modules directory. I'm >> using >> FreeRadius 2.1.10 (2.1.10-5.el6) that comes from the CentOS 6.2 >> repositorie. > > So... look at the 1.x config, find the atdomain module, and copy its > configuration. This module is *not* distributed with the server. It's > added only in your local configuration. Ahh, I got it. Thanks for the pointer. Kris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho
Luo, Frank Y.F. Mr. wrote: > I have noticed that radwho command only return one entry at any time but > obviously there are more than one people logged in > > $ sudo radwho > Login Name What TTY When FromLocation > d0c1b122dc d0c1b122dc75 shell S29 Fri 11:43 172.18.47.242 > 172.24.192.42 > > Any hint? Because there's only one person logged in. The others have all logged out. *Or* your NAS is broken, and is putting everyone on port 29. When a new login gets sent for port 29, the server assumes that it missed a logout, and just over-writes the entry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding domain names to user logins
Kriston wrote: > Well, when I run it, it says it doesn't recognize the atdomain module, which > makes sense to me since I don't see one in the modules directory. I'm using > FreeRadius 2.1.10 (2.1.10-5.el6) that comes from the CentOS 6.2 repositorie. So... look at the 1.x config, find the atdomain module, and copy its configuration. This module is *not* distributed with the server. It's added only in your local configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Cisco-AVPair = "device-traffic-class=voice"
Thanks. Matthew
With this solution, both Ip phone or other device will be marked as 'voice',
right?
Can we distinguish it is a 'voice' device? then add Cisco-AVPair =
"device-traffic-class=voice" . otherwise, don't add this attribute.
Hangjun
--- 12年6月23日,周六, Matthew Newton 写道:
发件人: Matthew Newton
主题: Re: Question on Cisco-AVPair = "device-traffic-class=voice"
收件人: "FreeRadius users mailing list"
日期: 2012年6月23日,周六,上午6:52
On Sat, Jun 23, 2012 at 06:24:40AM +0800, John wrote:
> Is there a way that freeradius can tell it is a VOICE device?
> Like ACS server: Cisco-AVPair = "device-traffic-class=voice".
man unlang
update reply {
cisco-avpair := "device-traffic-class=voice"
}
Matthew
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Cisco-AVPair = "device-traffic-class=voice"
On Sat, Jun 23, 2012 at 06:24:40AM +0800, John wrote:
> Is there a way that freeradius can tell it is a VOICE device?
> Like ACS server: Cisco-AVPair = "device-traffic-class=voice".
man unlang
update reply {
cisco-avpair := "device-traffic-class=voice"
}
Matthew
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on Cisco-AVPair = "device-traffic-class=voice"
Hi, Is there a way that freeradius can tell it is a VOICE device? Like ACS server: Cisco-AVPair = "device-traffic-class=voice". Here is a link to IP Telephony In IEEE 802.1X ... http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000357 Thanks a lot, Hangjun- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
You rock man ! I will dive deeper into this and see what I can conjur up. Thanks again for the time. I've been looking through the list archives for days and haven't found anything "direct" that could point me in this direction. Then again, I probably passed over it many times just because I'm so burnt out on this :) Have a good weekend. -Original Message- From: alan buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: Friday, June 22, 2012 3:15 PM To: Julson, Jim Cc: freeradius-users@lists.freeradius.org Subject: Re: Can't figure out Group Authentication Hi, >Any hints as to where I’d possibly begin? if you want to use LDAP to define./check groups, then you need to look at the LDAP module - if you look at this module you can see how to configure it , its fairly well self-documented and there are LDAP HOWTOs and docs on the main freeradius document sites. alternatively, you could use eg PERL and the LDAP CPAN module to do the work in that instead. alan The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Hi, >Any hints as to where I’d possibly begin? if you want to use LDAP to define./check groups, then you need to look at the LDAP module - if you look at this module you can see how to configure it , its fairly well self-documented and there are LDAP HOWTOs and docs on the main freeradius document sites. alternatively, you could use eg PERL and the LDAP CPAN module to do the work in that instead. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
Any hints as to where I’d possibly begin? I might be able to stumble through it if I at least knew what files I had to edit I think. From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: Friday, June 22, 2012 2:36 PM To: Julson, Jim; freeradius-users@lists.freeradius.org Subject: Re: Can't figure out Group Authentication You've got to set up some group checking...you haven't, so ldap-group means nothing to the server so you hit the default reject that you added... alan The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
You've got to set up some group checking...you haven't, so ldap-group means nothing to the server so you hit the default reject that you added... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding domain names to user logins
On Fri, June 22, 2012 09:45, Alan DeKok wrote:
> Kriston wrote:
>> I have many domain names but my users log in with just their usernames.
>> How
>> do I append the correct domainname to it? In FreeRadius 1.x I used
>> "%{User-Name}%{atdomain:%n}" but what's the equivalent in FreeRadius 2.x?.
>
> That didn't change in 2.x.
>
> What doesn't work about it?
>
> Alan DeKok.
Well, when I run it, it says it doesn't recognize the atdomain module, which
makes sense to me since I don't see one in the modules directory. I'm using
FreeRadius 2.1.10 (2.1.10-5.el6) that comes from the CentOS 6.2 repositorie.
I've temporarily hard-coded the @example.com at the end of the username
string to get things going for this one domain in the meantime. I'm puzzled
why it doesn't work using that same syntax. Sql_xlat seems to be here but
not atdomain.
Thanks, I'm hoping to figure this out soon with your help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radwho
I have noticed that radwho command only return one entry at any time but obviously there are more than one people logged in $ sudo radwho Login Name What TTY When FromLocation d0c1b122dc d0c1b122dc75 shell S29 Fri 11:43 172.18.47.242 172.24.192.42 Any hint? Thanks Frank - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't figure out Group Authentication
First, I'd like to thank Alan for his beyond countless hours of dedication to
all the blogs, forum posting, and general support within the community. Your
write-ups are thorough and well thought out. I wish more people were like you.
I'm pretty new to RADIUS and as consequently, Linux in general. So I might
ask questions that seem noobish or lame, but it doesn't mean I'm not willing to
learn, research etc. Just bare with me.
Now, the problem is this. Following Alan DeKok's guide at
http://deployingradius.com/documents/configuration/active_directory.html, I was
able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort.
There were a few things I had to go elsewhere to figure out, but I managed. I
have FreeRADIUS setup and authenticating using NTLM_AUTH. I was able to join
my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be
for authenticating users on all of our Cisco devices, as well as remote access
VPN users. So the problem is this. It's authenticating...a little too well.
I've added the following entry into "/etc/raddb/clients.conf" to allow AAA on
one of my cisco routers.
*
client 10.10.0.5 {
secret = REALSECRETOMMITTED
shortname = Cisco-2911-VPCRTR
nastype = cisco
}
*
Now, I then setup my Cisco router accordingly, and then did an SSH test to it
using my AD Account. Voila! It worked great. However, so did every other
"Domain User" account in the environment. This goes back to me being so new
to RADIUS and Linux where I don't feel like I'm fully grasping all of the
directives within the configuration files, and exactly how they all tie
together. I'm getting there, but just not fast enough.
So, how do I lock down the SSH Authentication to an Active Directory Group of
users, or individual users? Remember, go easy on me. I'll provide whatever
you need to help. I'm assuming you will ask for my RADIUSD -X output, so I've
attached that as well.
NOTE: One thing I don't understand is how in Alan DeKok's write up from the
link above, he says don't use the "DEFAULTAuth-Type = ntlm_auth" in the
"/etc/raddb/users" file, but yet that's one of the final steps to test in the
write-up. Maybe it's because I am so new, but I've been through that document
probably 30 times line by line, and yet every time I remove that entry, it
breaks the Authentication.
BEGIN RADIUSD -X DEBUG OUTPUT
**
**
**
FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Jul 19
2011 at 10:21:08
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/linelog
including configurati
Re: Reg: Accept the user without Mysql check.
On Fri, Jun 22, 2012 at 04:17:21PM +0100, Malla reddy Sama wrote:
> Please check once now. I am facing same problem..
Your netmask is wrong, or your subnet is wrong
client 172.20.0.0/24 {
should probably be
client 172.20.68.0/24 {
Matthew
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reg: Accept the user without Mysql check.
Please keep cc to the list.
On Fri, Jun 22, 2012 at 9:45 PM, Malla reddy Sama
wrote:
> Dear Fajar,
>
> I am facing a problem like below. please help where I am doing mistake.
>
> Ignoring request to authentication address * port 1812 from unknown client
> 172.20.68.97 port 59268
Let's find out what's wrong from the debug log.
> Clients.conf *
>
>
> client 172.20.68.0/24 { //ip of server
> secret=secret
> }
>
at a glance that looks correct ...
> radiusd: Loading Clients
> client localhost {
> ipaddr = 127.0.0.1
> require_message_authenticator = no
> secret = "secret"
> nastype = "other"
> }
> client 170.20.68.0/24 {
> require_message_authenticator = no
> secret = "secret"
> }
... but that's not what the debug log says. Notice the difference, 170
instead of 172?
Did you edit the debug log? Or perhaps you edited the wrong copy of
configuration files?
Either way, you can see which files the server parses by looking at
the debug log. You can also see what the server thinks the
configuration values are, which might different from what you think
they should be.
Notice how easy that was to debug problems when you provide the
complete debug log?
And PS, if you have a different problem, better start a new thread
with a new subject. It will be easier for others to follow. Also
please always cc the list, so others with the same problem can benefit
as well.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding domain names to user logins
Kriston wrote:
> I have many domain names but my users log in with just their usernames. How
> do I append the correct domainname to it? In FreeRadius 1.x I used
> "%{User-Name}%{atdomain:%n}" but what's the equivalent in FreeRadius 2.x?.
That didn't change in 2.x.
What doesn't work about it?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Adding domain names to user logins
I have many domain names but my users log in with just their usernames. How
do I append the correct domainname to it? In FreeRadius 1.x I used
"%{User-Name}%{atdomain:%n}" but what's the equivalent in FreeRadius 2.x?.
Thank you,
Kriston
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reg: Accept the user without Mysql check.
On Fri, Jun 22, 2012 at 5:59 PM, Malla reddy Sama
wrote:
> Dear Fajar,
>
> Thank you very for the help.
>
> I have some doubts can you clarify please :)
>
> In the Clients.conf I assign the clients as below:
>
> client 193.168.1.0/24 { //ip of server
> secret=secret
> }
>
> 1. It is possible with above IP and Password the clients get the
> authentication accept with radius server ..? what this IP and Password make
> (server allocate IP address for the client on the above range)..?
I suggest you stop right there. Read more documentation (including the
wiki), and do some experiments first to understand the basic concepts.
Hint: "client" there is not "user PC connected to the access point".
Rather, it's THE access point (a.k.a. NAS)
Now your question can mean several different things:
(1) how can I make users connected to that NAS get accepted regardles
of password.
The answer, read documentation for "unlang", and set auth-type for a
special condition (e.g. NAS-IP-address)
(2) how can I make users get accepted regardles of password ONLY IF
the users was already assigned IP address x.x.x.x by the NAS (e.g.
chillispot)
The answer, I don't think you can. And even if you could, I wouldn't
recommend it. But if you insist anyway, check out what attributes the
NAS sends, and set attributes as needed with unlang. If the NAS sends
users's IP address as part of request attribute, then it can be done.
If the NAS doesn't send it, then it can't be done.
(3) how can I make users get accepted regardles of password, and have
radius assign dynamic IP in the range of x.x.x.x
Probably use something like rlm_sqlippool in addition to setting Auth-Type.
Which one do you want?
If you didn't understand what I wrote on those three points, then
again, spend some time to read more documentation (including the
wiki), and do some experiments first to understand the basic concepts
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Posts from nabble
After recent messages, I've banned nabble.com from posting to the list. The signal to noise ratio was just too high. The overwhelming majority of the questions were... not good. I've discussed this off-line with the nabble administrators. The nabble pages are now marked read-only. i.e. you can read the list there, but you can't post using nabble. As always, *good* questions get *good* answers. This list is here to help people, and it does. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRADIUS on HP-UX B.11.31 ia64 (gcc, 32bit)
Alexander Gattin wrote: > gcc +b src/lib/.libs was in fact started by > ./libtool: Yes. The version of libtool used by FreeRADIUS is quite old. Unfortunately, I've tried to upgrade it multiple times without much success. libtool, libltdl, and configure are incestuously related in bizarre ways. It's annoying, frustrating, and borderline incompetent. > P.S. I'm actually fixing bug in ltmain.sh > v1.5.22, and I suspect that the > hardcode_libdir_flag_spec_ld problem is already > fixed in newer versions of ltmain.sh. 1.5.22 is > pretty old (2005/12/18). Exactly. I'm loath to upgrade libtool && libltdl. The code in the "master" branch (what will be 3.0) has a number of changes to the build system. It now can build without libtool or libltdl. The result is a build that is faster, simpler, and much better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How LDAP Authentication works
Tobias Hachmer wrote: > The Test MS AD Server has domain functional level "2008 R2" and quite > default settings. Active directory is not really an LDAP server. The reasons are complicated. It's almost an LDAP server, but it's different in critical ways. > In radiusd -X output the ldap module performs first the ldap bind with > the identity which is configured in ldap module configuration. After > that the ldap bind with user credentials provided in access-request packet: ... > Is the first ldap bind really necessary or can I configure in ldap > module something like "bind as user" to avoid the requirement to have a > service user account in AD? The first search is necessary to determine the User-DN to use for the second search. You can't get rid of the read-only admin account. If you set the LDAP-UserDN manually, you'll get rid of the first bind. But the server needs the admin account for LDAP to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building FreeRADIUS on HP-UX B.11.31 ia64 (gcc, 32bit)
Hello, On Fri, Jun 22, 2012 at 12:16:00PM +0300, Alexander Gattin wrote: > 1. ld options '+b ' are passed without >'-Wl,' prefix directly to gcc (not to ld): gcc +b src/lib/.libs was in fact started by ./libtool: > > /comptel/ilink/src/freeradius-server-2.1.12/libtool --mode=link gcc > > -release 2.1.12 \ > > -module -export-dynamic -o rlm_acctlog.la \ > > -rpath /comptel/ilink/32/lib rlm_acctlog.lo > > rlm_acctlog.c > > /comptel/ilink/src/freeradius-server-2.1.12/src/lib/libfreeradius-radius.la > > -lnsl -lrt -lpthread > > gcc -shared -Wl,+h -Wl,rlm_acctlog-2.1.12.so -Wl,+nodefaultrpath -o > > .libs/rlm_acctlog-2.1.12.so .libs/rlm_acctlog.o +b > > /comptel/ilink/src/freeradius-server-2.1.12/src/lib/.libs:/comptel/ilink/32/lib > > > > /comptel/ilink/src/freeradius-server-2.1.12/src/lib/.libs/libfreeradius-radius.so > > -lnsl -lrt -lpthread -lc > > gcc: +b: No such file or directory I've made 2nd attempt at fixing the problem. I think that having distinct hardcode_libdir_flag_spec and hardcode_libdir_flag_spec_ld sets of flags is essential. You may want to link directly with native HP-UX /usr/bin/ld, and then you should use hardcode_libdir_flag_spec_ld, or you may want to use gcc and pass "+b" option and its value from gcc to linker using "-Wl," prefixes. With libtool you don't have and don't use distinct "c-link" and "native-link" modes, though. libtool is run with "--mode=link" and then it must decide which type of linker arguments to use by itself. My patch infers this (c-link vs native-link) by looking at 1st non-option argument to the libtool -- usually it's a command name, like "cc", "gcc" or "ld". The relevant part of libtool comes from ltmain.sh, so I'm ataching a patch for ltmain.sh (after applying the patch you'll need to re-run ./configure in order to produce new ./libtool). P.S. I'm actually fixing bug in ltmain.sh v1.5.22, and I suspect that the hardcode_libdir_flag_spec_ld problem is already fixed in newer versions of ltmain.sh. 1.5.22 is pretty old (2005/12/18). -- With best regards, xrgtn --- ltmain.sh.orig 2011-09-30 17:12:07.0 +0300 +++ ltmain.sh 2012-06-22 13:14:17.0 +0300 @@ -3880,7 +3880,12 @@ test -n "$hardcode_libdirs"; then libdir="$hardcode_libdirs" if test -n "$hardcode_libdir_flag_spec_ld"; then - eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\" + case $nonopt in + *cc | cc* | *++ | gcc* | *-gcc* | g++* | xlc*) + eval dep_rpath=\"$hardcode_libdir_flag_spec\";; + *) + eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\";; + esac else eval dep_rpath=\"$hardcode_libdir_flag_spec\" fi signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reg: Accept the user without Mysql check.
Dear Fajar,
Thank you very for the help.
I have some doubts can you clarify please :)
In the Clients.conf I assign the clients as below:
client 193.168.1.0/24 { //ip of server
secret=secret
}
1. It is possible with above IP and Password the clients get the authentication
accept with radius server ..? what this IP and Password make (server allocate
IP address for the client on the above range)..?
2. If I not keep this IP and Password in Clients.conf and just assign "DEFAULT
Auth-Type := Accept" in user file. Then every user on eth0 interface get
authentication accept, is correct ..?
Please can you clarify me.
Thanks & Best Regards,
MallaReddy Sama,
From: Fajar A. Nugraha
To: Malla reddy Sama ; FreeRadius users mailing list
Sent: Friday, 22 June 2012 12:35 PM
Subject: Re: Reg: Accept the user without Mysql check.
On Fri, Jun 22, 2012 at 5:27 PM, Malla reddy Sama
wrote:
>
> Dear All,
>
> I am using freeradius 2.1.10 and Mysql.
>
> The server working on interface eth0. Any request get to this interface, the
> request has to be accept without checking the database.
>
> Any suggestion on this regards.
As usual, did you read the wiki?
http://wiki.freeradius.org/FAQ#How-do-I-permit-access-to-any-user-regardless-of-password%3F
... and if doesn't work for you, search for "It still doesn't work!"
on that same page.
--
Fajar-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reg: Accept the user without Mysql check.
On Fri, Jun 22, 2012 at 5:27 PM, Malla reddy Sama wrote: > > Dear All, > > I am using freeradius 2.1.10 and Mysql. > > The server working on interface eth0. Any request get to this interface, the > request has to be accept without checking the database. > > Any suggestion on this regards. As usual, did you read the wiki? http://wiki.freeradius.org/FAQ#How-do-I-permit-access-to-any-user-regardless-of-password%3F ... and if doesn't work for you, search for "It still doesn't work!" on that same page. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reg: Accept the user without Mysql check.
Dear All, I am using freeradius 2.1.10 and Mysql. The server working on interface eth0. Any request get to this interface, the request has to be accept without checking the database. Any suggestion on this regards. Thanks & Best Regards, MallaReddy, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How LDAP Authentication works
On 22.06.2012 10:18, Fajar A. Nugraha wrote:
But is this identity also needed for authentication only?
There are several ways you can use LDAP for authentication. For
"normal" LDAP servers which stores user password in an accessible
attribute with optional supported encrypted schema, you only need
ldap
module in authorization phase to get the attribute. This is the
recommended method. Other FR modules (pap, mschap) will then process
the password attribute and compare it to the one in the request.
If the LDAP server does not expose user password, or store them in an
unsupported encryption schema, then you need to do ldap bind. However
in order to do that the request needs to be PAP, because you need the
password that user inputs in plain text (i.e. user-password request
attribute).
Either way, you need the identity to get user attributes from the
LDAP
server during authorization phase. Without those attributes,
authentication phase will fail.
Hmm, and when I only just want to authenticate users which are
connecting via ssh to a network device I can always do PAP.
In my tests I have temporarily set Auth-Type of a user to ldap. In
"authorize" section I commented out the ldap module. So the ldap module
is only active in "authentication" section.
The Test MS AD Server has domain functional level "2008 R2" and quite
default settings.
In radiusd -X output the ldap module performs first the ldap bind with
the identity which is configured in ldap module configuration. After
that the ldap bind with user credentials provided in access-request
packet:
Found Auth-Type = LDAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group LDAP {...}
++- entering redundant-load-balance group redundant-load-balance {...}
[ldap3] login attempt by "a160admin-hachmer" with password "abc123!"
[ldap3] expand: %{Stripped-User-Name} ->
[ldap3] ... expanding second conditional
[ldap3] expand: %{User-Name} -> a160admin-hachmer
[ldap3] expand:
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=a160admin-hachmer)
[ldap3] expand: dc=1632labor,dc=local -> dc=1632labor,dc=local
[ldap3] ldap_get_conn: Checking Id: 0
[ldap3] ldap_get_conn: Got Id: 0
[ldap3] attempting LDAP reconnection
[ldap3] (re)connect to ldaps://radiustestwdc3.1632labor.local,
authentication 0
[ldap3] setting TLS CACert File to /etc/raddb/certs/1632labor.pem
[ldap3] setting TLS Require Cert to demand
[ldap3] bind as
cn=a160sa-freeradius,cn=Users,dc=1632labor,dc=local/abc321! to
ldaps://radiustestwdc3.1632labor.local
[ldap3] waiting for bind result ...
[ldap3] Bind was successful
[ldap3] performing search in dc=1632labor,dc=local, with filter
(sAMAccountName=a160admin-hachmer)
[ldap3] ldap_release_conn: Release Id: 0
[ldap3] user DN: CN=Tobias Hachmer,OU=1632User,DC=1632labor,DC=local
[ldap3] (re)connect to ldaps://radiustestwdc3.1632labor.local,
authentication 1
[ldap3] setting TLS CACert File to /etc/raddb/certs/1632labor.pem
[ldap3] setting TLS Require Cert to demand
[ldap3] bind as CN=Tobias
Hachmer,OU=1632User,DC=1632labor,DC=local/abc123! to
ldaps://radiustestwdc3.1632labor.local
[ldap3] waiting for bind result ...
[ldap3] Bind was successful
[ldap3] user a160admin-hachmer authenticated succesfully
+++[ldap3] returns ok
Is the first ldap bind really necessary or can I configure in ldap
module something like "bind as user" to avoid the requirement to have a
service user account in AD?
Regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building FreeRADIUS on HP-UX B.11.31 ia64 (gcc, 32bit)
Hello,
There are 2 problems with HP-UX build (I use GNU
gcc and native ld):
1. ld options '+b ' are passed without
'-Wl,' prefix directly to gcc (not to ld):
> gcc -shared -Wl,+h -Wl,rlm_acctlog-2.1.12.so -Wl,+nodefaultrpath -o
> .libs/rlm_acctlog-2.1.12.so .libs/rlm_acctlog.o +b
> /comptel/ilink/src/freeradius-server-2.1.12/src/lib/.libs:/comptel/ilink/32/lib
>
> /comptel/ilink/src/freeradius-server-2.1.12/src/lib/.libs/libfreeradius-radius.so
> -lnsl -lrt -lpthread -lc
> gcc: +b: No such file or directory
> gcc:
> /comptel/ilink/src/freeradius-server-2.1.12/src/lib/.libs:/comptel/ilink/32/lib:
> No such file or directory
> make[6]: *** [rlm_acctlog.la] Error 1
Probably, native ld is never invoked directly
in FreeRADIUS build, so I've hacked ./configure
script in this place:
> if test "$with_gnu_ld" = no; then
> hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
> hardcode_libdir_separator=:
>
> case $host_cpu in
> hppa*64*|ia64*)
> hardcode_libdir_flag_spec_ld='+b $libdir'
> hardcode_direct=no
> hardcode_shlibpath_var=no
> ;;
> *)
> hardcode_direct=yes
> export_dynamic_flag_spec='${wl}-E'
>
> # hardcode_minus_L: Not really in the search PATH,
> # but as the default location of the library.
> hardcode_minus_L=yes
> ;;
> esac
> fi
I replaced hardcode_libdir_flag_spec_ld='+b $libdir'
with hardcode_libdir_flag_spec_ld='${wl}+b ${wl}$libdir'
(quick and dirty fix), and this allowed me to
continue:
2. raddb/Makefile uses one-argument form of
'ln -s', which is not present on HP-UX:
> make[2]: Entering directory
> `/comptel/ilink/src/freeradius-server-2.1.12/raddb'
> Usage: ln [-f] [-i] [-s] f1 f2
>ln [-f] [-i] [-s] f1 ... fn d1
> make[2]: *** [all] Error 2
> make[2]: Leaving directory `/comptel/ilink/src/freeradius-server-2.1.12/raddb'
I've fixed it this way:
sed -i.orig 's/\(\
signature.asc
Description: Digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How LDAP Authentication works
On Fri, Jun 22, 2012 at 1:30 PM, Tobias Hachmer wrote: > In LDAP module configuration I set an identity. For my understanding this is > for the ldap bind user. With this identity FR will get access to the ldap > database, to do groupmembership information or attributes and so on. correct. > But is this identity also needed for authentication only? There are several ways you can use LDAP for authentication. For "normal" LDAP servers which stores user password in an accessible attribute with optional supported encrypted schema, you only need ldap module in authorization phase to get the attribute. This is the recommended method. Other FR modules (pap, mschap) will then process the password attribute and compare it to the one in the request. If the LDAP server does not expose user password, or store them in an unsupported encryption schema, then you need to do ldap bind. However in order to do that the request needs to be PAP, because you need the password that user inputs in plain text (i.e. user-password request attribute). Either way, you need the identity to get user attributes from the LDAP server during authorization phase. Without those attributes, authentication phase will fail. > > In my setup I just want to authenticate my users against Microsoft Active > Directory, authorization will be done through sql. > So I thought about if I need the bind user. Am I right with this: > FR or the ldap module will test if the username/password combination is > correct against ldap. For that it will do a simple ldap bind with the > credentials from access-request packet. So, is the identity really needed > for authentication or is my understanding here wrong? > Please point me to the right... windows clients will use peap-mschapv2 for 802.1x. That means no user-password attribute in access-request packet, which means you can't do LDAP bind. AD will not give out the encrypted user's password either. So in this case you'll also need ntlm_auth and do some special setup in FR. Read http://deployingradius.com/documents/configuration/active_directory.html for details. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
