RE: Can't figure out Group Authentication
Okay, so I think I'm getting closer. But I have a few challenges still. I am
slowly learning how to parse the RADIUS -X debug output, now it's a matter of
knowing what to do with the information.
I know that when I've setup Cacti servers or other Linux based servers that
bind to LDAP, I've had problems with 2 different facets of the implementation.
1. Domain Groups with spaces sometimes would or wouldn't work. (Is that the
case with FreeRADIUS?)
2. Recursive searches were a problem. See below for how the basic Active
Directory structure looks for us (Note the spaces in the names). For Cacti, I
had to create a new OU, with a new Security Group that didn't have spaces in
it. That was the only way I could get LDAP Binds to work for Group
Authentication. (I find it hard to belive that's the case with FreeRADIUS...I
tend to lean more towards my bad configuration).
DOMAIN.EXAMPLE.COM
ADMIN - Users
ADMIN - Groups
ADMIN - Servers
Computers
Users
Domain Controllers
Built-In
Etc..
So, in that example, if I wanted to have a user be Authenticated who resides in
"ADMIN - Users", but the group is in "ADMIN - Groups", does it matter to the
RADIUS LDAP module?
Now, in /etc/raddb/modules/ldap , we would have the binding setup as follows.
Note that the Base DN is the top level of the domain because it has to be able
to recursively search all sub-OU's to find both users, and groups.
**
/etc/raddb/modules/ldap
server = "172.16.5.200"
identity = "CN=Administrator,CN=Users,DC=DOMAIN,DC=EXAMPLE,DC=COM"
password = MyPasswordForBIND
basedn = "DC=DOMAIN,DC=EXAMPLE,DC=COM"
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"
#filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=group)(member=%Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
**
NOTE: I am kind of lost here. I see so many people using so many different
syntaxes that I'm not sure if I'm using the right one. At present, the "users"
file is completely default except for the following lines I've added at the
very top. So, no matter what my LDAP output shows, If I uncomment the two
lines for ntlm_auth, I can login with any Domain User regardless of the top 2
lines that say "Domain Admins", and all others are rejected. So I'm thinking
ultimately my problem is not just here, but also with the LDAP bind taking
place as you can see below.
**
/etc/raddb/users
DEFAULT Ldap-Group == "CN=Domain Admins,CN=ADMIN -
Groups,DC=DOMAIN,DC=HOME,DC=COM", Auth-Type = ntlm_auth
DEFAULT Auth-Type = Reject
#DEFAULTAuth-Type = ntlm_auth
# Reply-Message = "You have been successfully authenticated! "
**
Here's the checklist of what I've done.
1. Added an entry simply as "ldap" under the "Instantiate" section in
/etc/raddb/radiusd.conf
2. Added the LDAP information as shown above in /etc/raddb/modules/ldap
3. Configured ntlm_auth under /etc/raddb/modules/ntlm_auth
4. Configured the mschap module under /etc/raddb/modules/mschap
5. Added a list of clients who can authenticate in /etc/raddb/clients.conf
6. Added an entry to check against LDAP groups in /etc/raddb/users (I
believe this is still a problem for me. I don't think I have it configured
properly. I think I need to visually see an example as it's just not
"clicking" with me for some reason.
Here's the RADIUSD -X output from my last auth attempt.
BEGIN RADIUS - X DEBUG OUTPUT
NOTE: I've changed all my domain information for this troubleshooting, and
also highlighted anywhere it's referenced. I'm hoping I'm
On the right track with what I've highlighted below as to where I believe the
problem is.
###
###
###
###
rad_recv: Access-Request packet from host 10.10.0.5 port 1645, id=72, length=73
User-Name = "USERNAMEHERE"
User-Password = "PASSWORDOMMITTED"
NAS-Port = 389
NAS-Port-Id = "tty389"
NAS-Port-Type = Virtual
NAS-IP-Address = 10.10.0.5
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[dig
RE: Can't figure out Group Authentication
Alan, That was about the most clear and concise description of the process I've found/heard to date. Thank you for taking the time to educate me. I will attempt to get this going today. I think I have everything that I need at this point. Have a good one. -Original Message- From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, June 23, 2012 6:22 AM To: FreeRadius users mailing list Subject: Re: Can't figure out Group Authentication Julson, Jim wrote: > Now, I then setup my Cisco router accordingly, and then did an SSH > test to it using my AD Account. Voila! It worked great. _*/However, > so did every other "Domain User" account in the environment. /*_ This > goes back to me being so new to RADIUS and Linux where I don't feel > like I'm fully grasping all of the directives within the configuration > files, and exactly how they all tie together. Honestly, I don't remember much of that, either. When I configure the server, I usually go back and read the comments *I wrote* to figure out what to do. But for your issue, you told the server to "use AD to authenticate all users". So that's what it did. > *So, how do I lock down the SSH Authentication to an Active Directory > Group of users, or individual users? * Remember, go easy on me. I'll > provide whatever you need to help. I'm assuming you will ask for my > RADIUSD -X output, so I've attached that as well. 1) configure AD as an LDAP server. See raddb/modules/ldap 2) add "ldap" to the "instantiate" section of radiusd.conf There are references to "ldap" in "authorize" and "authentication" You won't need those. 3) Do group checking with LDAP-Group == "group name" See the FAQ for examples of rejecting users with a particular group. The FAQ uses "Group", which is "Unix group from /etc/passwd". Just use LDAP-Group instead. > NOTE: One thing I don't understand is how in Alan DeKok's write up from > the link above, he says don't use the "DEFAULTAuth-Type = ntlm_auth" > in the "/etc/raddb/users" file, but yet that's one of the final steps > to test in the write-up. It's an intermediate step. It's necessary only when you're forcing authentication back-ends. > Maybe it's because I am so new, but I've been through that document > probably 30 times line by line, and yet every time I remove that > entry, it breaks the Authentication. Yes. The server needs to now HOW to authenticate the users. The incoming RADIUS packet contains what KIND of authentication method. PAP, CHAP, MS-CHAP, etc. So the server has no choice there. But where does it get the passwords from? Normally this is a DB. But AD isn't a DB (for various reasons). Instead, the "Auth-Type = ntlm_auth" reformats and *proxies* the authentication over the Samba protocol, using the ntlm_auth program. i.e. it hands off the MSCHAP stuff to ntlm_auth, and asks "is this correct?" If the server has passwords from a DB, it can just authenticate the user directly. If it doesn't have a password for that user, it has to hand off the authentication to someone else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Julson, Jim wrote: > Now, I then setup my Cisco router accordingly, and then did an SSH test > to it using my AD Account. Voila! It worked great. _*/However, so did > every other "Domain User" account in the environment. /*_ This goes > back to me being so new to RADIUS and Linux where I don't feel like I'm > fully grasping all of the directives within the configuration files, and > exactly how they all tie together. Honestly, I don't remember much of that, either. When I configure the server, I usually go back and read the comments *I wrote* to figure out what to do. But for your issue, you told the server to "use AD to authenticate all users". So that's what it did. > *So, how do I lock down the SSH Authentication to an Active Directory > Group of users, or individual users? * Remember, go easy on me. I'll > provide whatever you need to help. I'm assuming you will ask for my > RADIUSD -X output, so I've attached that as well. 1) configure AD as an LDAP server. See raddb/modules/ldap 2) add "ldap" to the "instantiate" section of radiusd.conf There are references to "ldap" in "authorize" and "authentication" You won't need those. 3) Do group checking with LDAP-Group == "group name" See the FAQ for examples of rejecting users with a particular group. The FAQ uses "Group", which is "Unix group from /etc/passwd". Just use LDAP-Group instead. > NOTE: One thing I don't understand is how in Alan DeKok's write up from > the link above, he says don't use the "DEFAULTAuth-Type = ntlm_auth" > in the "/etc/raddb/users" file, but yet that's one of the final steps to > test in the write-up. It's an intermediate step. It's necessary only when you're forcing authentication back-ends. > Maybe it's because I am so new, but I've been > through that document probably 30 times line by line, and yet every time > I remove that entry, it breaks the Authentication. Yes. The server needs to now HOW to authenticate the users. The incoming RADIUS packet contains what KIND of authentication method. PAP, CHAP, MS-CHAP, etc. So the server has no choice there. But where does it get the passwords from? Normally this is a DB. But AD isn't a DB (for various reasons). Instead, the "Auth-Type = ntlm_auth" reformats and *proxies* the authentication over the Samba protocol, using the ntlm_auth program. i.e. it hands off the MSCHAP stuff to ntlm_auth, and asks "is this correct?" If the server has passwords from a DB, it can just authenticate the user directly. If it doesn't have a password for that user, it has to hand off the authentication to someone else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Cisco-AVPair = "device-traffic-class=voice"
On Sat, Jun 23, 2012 at 08:35:31AM +0800, John wrote:
> With this solution, both Ip phone or other device will be marked
> as 'voice', right?
Yes
> Can we distinguish it is a 'voice' device? then add
> Cisco-AVPair = "device-traffic-class=voice" . otherwise, don't
> add this attribute.
I hit exactly this issue this week.
It depends on what your NAS sends in the request. Annoyingly it
seems that Cisco doesn't send anything useful apart from the MAC
address in Calling-Station-Id (that I can find), or the username
or certificate checks if you're using 802.1x rather than MAB.
(In my case, at this stage, I'm less concerned about the security
and would more like logging and an easy way to block a MAC
address, so if the switch send device class details, or even PoE
state, from LLDP or CDP, it would be much more useful, but I
haven't yet found a way to get it to do that.)
So you either look it up in a database, or check the MAC prefix.
Something like
if (Calling-Station-Id =~ /^001122/) {
update reply...
}
As I said before -
> man unlang
Cisco specifically say in their documentation that you can't check
the mac address prefix if you're using Cisco phones, though, as
unlike some other more useful manufacturers they use many
different prefixes for their phones. That pushes you to have to
use a database of some kind if you use their system (which
thankfully we don't).
Cheers,
Matthew
--
Matthew Newton, Ph.D.
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
