RE: FW: mpd+freeradius+AD
Thank you so much Nikos!
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]
Sent: Friday, June 30, 2006 4:57 PM
To: freeradius-users@lists.freeradius.org
Cc: Егоров Сергей
Subject: Re: FW: mpd+freeradius+AD
On Friday 30 June 2006 11:57, Егоров Сергей wrote:
Ok, this is my users file
testAuth-Type := MS-CHAP
Framed-IP-Address = 192.168.10.65
DEFAULT Auth-Type := MS-CHAP
And this is freeradius log, then I connect to mpd via test account:
Login OK: [test/no User-Password attribute] (from client localhost port 0
cli 192.168.12.126) Sending Access-Accept of id 121 to 127.0.0.1 port 49791
Framed-IP-Address = 192.168.10.65
MS-CHAP2-Success =
0x01533d424543343039384343413934433832344138443146393830364138413345323
6394441413430 MS-MPPE-Recv-Key = 0x0bbdc1d49670112e799bd5a86b084808
MS-MPPE-Send-Key = 0x0df81127464f94a443c13e7e683f5251
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x0004
rad_recv: Accounting-Request packet from host 127.0.0.1:54511, id=119,
length=139 NAS-Identifier = testradius.ion.ru
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = 192.168.12.126
User-Name = test
Framed-IP-Address = 192.168.10.12
Acct-Status-Type = Start
Acct-Session-Id = 1652038-pptp0
Acct-Multi-Session-Id = 1652038-pptp0
Acct-Link-Count = 1
Acct-Authentic = RADIUS
Sending Accounting-Response of id 119 to 127.0.0.1 port 54511
In this log freeradius said that account test OK, and his address
192.168.10.65. But mpd replace it this his own. How could I improve it?
use radius-ip
read more here /usr/local/share/doc/mpd/mpd22.html
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 29, 2006 7:05 PM
To: Undisclosed.Recipients :
Cc: Егоров Сергей
Subject: Re: FW: mpd+freeradius+AD
On Thursday 29 June 2006 15:28, Егоров Сергей wrote:
This is Framed-IP-Address in radius dialect.
Thanks for explaining freeradius basic concepts. I understood, that to
assign IP to user I should use users freeradius file. But I couldn't
configure it correctly. Now I have only one line in this file
DEFAULT Auth-Type := MS-CHAP
I've add another string (for user test), but it doesn't correct
test Auth-Type := MS-CHAP,
Try without the comma
run the server in debug mode(radiusd -X)
and use radclient
Framed-IP-Address = 192.168.10.65,
I think you can put this in AD. Don't know...
That should I fix?
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]
Sent: Monday, June 26, 2006 5:09 PM
To: freeradius-users@lists.freeradius.org
Cc: Егоров Сергей
Subject: Re: mpd+freeradius+AD
On Monday 26 June 2006 14:04, Егоров Сергей wrote:
Thanks for reply.
You can use one of the three firewalls avaliable in the base
system(ipfw,
ipf and pf), however mpd comes with a small dictionary that uses
ipfw(8) and you can easily define some filter bound to an interface
(bound to a username) via a radius reply attribute, let filter be a
pipe(for bandwidth control) or a packet filtering expression.
That's fine for filtering vpn users access to local net. But how could
I assign specific IP for specific user in AD?
Your questions don't clearly tell where your problem is.
Active Directory? mpd? or FreeRADIUS? You should define
them better in order to get help from the list.
My goal is to replace VPN server, based on win2003, with FreeBSD one.
WIN 2003 can do 1 and 2 in my questions, so I have to realize how to
setup this in mpd + freeradius. I already authenticate users from AD
group:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=EXAMPLE+VPN_Allowed.
But I have several vpn groups and need to setup timeouts on each one.
setup timeout? This looks like Session-Timeout in radius dialect.
Also
I need to I assign specific IP for specific user in AD.
This is Framed-IP-Address in radius dialect.
Looks like
FreeRadius should respond for this.
Yes, you have to have basic understanding of what radius is. All of these
are very basic setup. I don't know how FreeRADIUS interacts with AD and
what info it should get from AD. So, try searching (or asking) for active
directory and FreeRADIUS. Keep the mpd part out of it, since it will
add unneeded complexity. Or perhaps start from setting up mpd and
FreeRADIUS. And then you could add AD.
A few suggestions, Nikos
-
List info/subscribe/unsubscribe? See
http
RE: FW: mpd+freeradius+AD
Title: RE: FW: mpd+freeradius+AD
Ok, this is my users file
test Auth-Type := MS-CHAP
Framed-IP-Address = 192.168.10.65
DEFAULT Auth-Type := MS-CHAP
And this is freeradius log, then I connect to mpd via test account:
Login OK: [test/no User-Password attribute] (from client localhost port 0 cli 192.168.12.126)
Sending Access-Accept of id 121 to 127.0.0.1 port 49791
Framed-IP-Address = 192.168.10.65
MS-CHAP2-Success = 0x01533d4245433430393843434139344338323441384431463938303641384133453236394441413430
MS-MPPE-Recv-Key = 0x0bbdc1d49670112e799bd5a86b084808
MS-MPPE-Send-Key = 0x0df81127464f94a443c13e7e683f5251
MS-MPPE-Encryption-Policy = 0x0002
MS-MPPE-Encryption-Types = 0x0004
rad_recv: Accounting-Request packet from host 127.0.0.1:54511, id=119, length=139
NAS-Identifier = testradius.ion.ru
NAS-Port = 0
NAS-Port-Type = Virtual
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = 192.168.12.126
User-Name = test
Framed-IP-Address = 192.168.10.12
Acct-Status-Type = Start
Acct-Session-Id = 1652038-pptp0
Acct-Multi-Session-Id = 1652038-pptp0
Acct-Link-Count = 1
Acct-Authentic = RADIUS
Sending Accounting-Response of id 119 to 127.0.0.1 port 54511
In this log freeradius said that account test OK, and his address 192.168.10.65. But mpd replace it this his own. How could I improve it?
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 29, 2006 7:05 PM
To: Undisclosed.Recipients :
Cc: Егоров Сергей
Subject: Re: FW: mpd+freeradius+AD
On Thursday 29 June 2006 15:28, Егоров Сергей wrote:
This is Framed-IP-Address in radius dialect.
Thanks for explaining freeradius basic concepts. I understood, that to
assign IP to user I should use users freeradius file. But I couldn't
configure it correctly. Now I have only one line in this file
DEFAULT Auth-Type := MS-CHAP
I've add another string (for user test), but it doesn't correct
test Auth-Type := MS-CHAP,
Try without the comma
run the server in debug mode(radiusd -X)
and use radclient
Framed-IP-Address = 192.168.10.65,
I think you can put this in AD. Don't know...
That should I fix?
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 26, 2006 5:09 PM
To: freeradius-users@lists.freeradius.org
Cc: Егоров Сергей
Subject: Re: mpd+freeradius+AD
On Monday 26 June 2006 14:04, Егоров Сергей wrote:
Thanks for reply.
You can use one of the three firewalls avaliable in the base
system(ipfw,
ipf and pf), however mpd comes with a small dictionary that uses
ipfw(8) and you can easily define some filter bound to an interface
(bound to a username) via a radius reply attribute, let filter be a
pipe(for bandwidth control) or a packet filtering _expression_.
That's fine for filtering vpn users access to local net. But how could I
assign specific IP for specific user in AD?
Your questions don't clearly tell where your problem is.
Active Directory? mpd? or FreeRADIUS? You should define
them better in order to get help from the list.
My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN
2003 can do 1 and 2 in my questions, so I have to realize how to setup
this in mpd + freeradius. I already authenticate users from AD group:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=EXAMPLE+VPN_Allowed.
But I have several vpn groups and need to setup timeouts on each one.
setup timeout? This looks like Session-Timeout in radius dialect.
Also
I need to I assign specific IP for specific user in AD.
This is Framed-IP-Address in radius dialect.
Looks like
FreeRadius should respond for this.
Yes, you have to have basic understanding of what radius is. All of these
are very basic setup. I don't know how FreeRADIUS interacts with AD and
what info it should get from AD. So, try searching (or asking) for active
directory and FreeRADIUS. Keep the mpd part out of it, since it will
add unneeded complexity. Or perhaps start from setting up mpd and
FreeRADIUS. And then you could add AD.
A few suggestions, Nikos
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: mpd+freeradius+AD
This is Framed-IP-Address in radius dialect.
Thanks for explaining freeradius basic concepts. I understood, that to assign
IP to user I should use users freeradius file. But I couldn't configure it
correctly. Now I have only one line in this file
DEFAULT Auth-Type := MS-CHAP
I've add another string (for user test), but it doesn't correct
test Auth-Type := MS-CHAP,
Framed-IP-Address = 192.168.10.65,
That should I fix?
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]
Sent: Monday, June 26, 2006 5:09 PM
To: freeradius-users@lists.freeradius.org
Cc: Егоров Сергей
Subject: Re: mpd+freeradius+AD
On Monday 26 June 2006 14:04, Егоров Сергей wrote:
Thanks for reply.
You can use one of the three firewalls avaliable in the base system(ipfw,
ipf and pf), however mpd comes with a small dictionary that uses
ipfw(8) and you can easily define some filter bound to an interface
(bound to a username) via a radius reply attribute, let filter be a
pipe(for bandwidth control) or a packet filtering expression.
That's fine for filtering vpn users access to local net. But how could I
assign specific IP for specific user in AD?
Your questions don't clearly tell where your problem is.
Active Directory? mpd? or FreeRADIUS? You should define
them better in order to get help from the list.
My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN
2003 can do 1 and 2 in my questions, so I have to realize how to setup this
in mpd + freeradius. I already authenticate users from AD group:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=EXAMPLE+VPN_Allowed.
But I have several vpn groups and need to setup timeouts on each one.
setup timeout? This looks like Session-Timeout in radius dialect.
Also
I need to I assign specific IP for specific user in AD.
This is Framed-IP-Address in radius dialect.
Looks like
FreeRadius should respond for this.
Yes, you have to have basic understanding of what radius is. All of these
are very basic setup. I don't know how FreeRADIUS interacts with AD and
what info it should get from AD. So, try searching (or asking) for active
directory and FreeRADIUS. Keep the mpd part out of it, since it will
add unneeded complexity. Or perhaps start from setting up mpd and
FreeRADIUS. And then you could add AD.
A few suggestions, Nikos
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mpd+freeradius+AD
This is Framed-IP-Address in radius dialect.
Thanks for explaining freeradius basic concepts. I understood, that to assign
IP to user I should use users freeradius file. But I couldn't configure it
correctly. Now I have only one line in this file
DEFAULT Auth-Type := MS-CHAP
I've add another string (for user test), but it doesn't correct
test Auth-Type := MS-CHAP,
Framed-IP-Address = 192.168.10.65,
Fall-Through = Yes
That should I fix?
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]
Sent: Monday, June 26, 2006 5:09 PM
To: freeradius-users@lists.freeradius.org
Cc: Егоров Сергей
Subject: Re: mpd+freeradius+AD
On Monday 26 June 2006 14:04, Егоров Сергей wrote:
Thanks for reply.
You can use one of the three firewalls avaliable in the base system(ipfw,
ipf and pf), however mpd comes with a small dictionary that uses
ipfw(8) and you can easily define some filter bound to an interface
(bound to a username) via a radius reply attribute, let filter be a
pipe(for bandwidth control) or a packet filtering expression.
That's fine for filtering vpn users access to local net. But how could I
assign specific IP for specific user in AD?
Your questions don't clearly tell where your problem is.
Active Directory? mpd? or FreeRADIUS? You should define
them better in order to get help from the list.
My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN
2003 can do 1 and 2 in my questions, so I have to realize how to setup this
in mpd + freeradius. I already authenticate users from AD group:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=EXAMPLE+VPN_Allowed.
But I have several vpn groups and need to setup timeouts on each one.
setup timeout? This looks like Session-Timeout in radius dialect.
Also
I need to I assign specific IP for specific user in AD.
This is Framed-IP-Address in radius dialect.
Looks like
FreeRadius should respond for this.
Yes, you have to have basic understanding of what radius is. All of these
are very basic setup. I don't know how FreeRADIUS interacts with AD and
what info it should get from AD. So, try searching (or asking) for active
directory and FreeRADIUS. Keep the mpd part out of it, since it will
add unneeded complexity. Or perhaps start from setting up mpd and
FreeRADIUS. And then you could add AD.
A few suggestions, Nikos
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mpd+freeradius+AD
Hi all! I have completed setup of mpd+freeradius+AD 2003. Now my users authenticating from Active Directory, if they are members of specific group. But I still have some questions: How to make a different timeouts for different groups in AD How to appoint special IP for special users How to restrict users to access only to defined IP in my network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mpd+freeradius+AD
Thanks for reply.
You can use one of the three firewalls avaliable in the base system(ipfw, ipf
and pf), however mpd comes with a small dictionary that uses ipfw(8) and you
can easily define some filter bound to an interface (bound to a username) via
a radius reply attribute, let filter be a pipe(for bandwidth control) or a
packet filtering expression.
That's fine for filtering vpn users access to local net. But how could I assign
specific IP for specific user in AD?
Your questions don't clearly tell where your problem is.
Active Directory? mpd? or FreeRADIUS? You should define
them better in order to get help from the list.
My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN 2003
can do 1 and 2 in my questions, so I have to realize how to setup this in mpd +
freeradius. I already authenticate users from AD group:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=EXAMPLE+VPN_Allowed.
But I have several vpn groups and need to setup timeouts on each one. Also I
need to I assign specific IP for specific user in AD. Looks like FreeRadius
should respond for this.
-Original Message-
From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]
Sent: Monday, June 26, 2006 2:22 PM
To: freeradius-users@lists.freeradius.org
Cc: Егоров Сергей
Subject: Re: mpd+freeradius+AD
On Monday 26 June 2006 09:55, Егоров Сергей wrote:
Hi all! I have completed setup of mpd+freeradius+AD 2003. Now my users
authenticating from Active Directory, if they are members of specific
group. But I still have some questions:
1.How to make a different timeouts for different groups in AD
2.How to appoint special IP for special users
3.How to restrict users to access only to defined IP in my network
You can use one of the three firewalls avaliable in the base system(ipfw, ipf
and pf), however mpd comes with a small dictionary that uses ipfw(8) and you
can easily define some filter bound to an interface (bound to a username) via a
radius reply attribute, let filter be a pipe(for bandwidth control) or a packet
filtering expression. So, if you want different rules for different usernames
ipfw is the sensible packet filter to use.
You can find the radius section of mpd, here:
http://www.bretterklieber.com/mpd/doc4/mpd28.html
Your questions don't clearly tell where your problem is.
Active Directory? mpd? or FreeRADIUS? You should define
them better in order to get help from the list.
HTH a bit, Nikos
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mpd+freeradius+AD
Hi all! I have completed setup of mpd+freeradius+AD 2003. Now my users authenticating from Active Directory, if they are members of specific group. But I still have some questions: How to make a different timeouts for different groups in AD How to appoint special IP for special users How to restrict users to access only to defined IP in my network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
