RE: FW: mpd+freeradius+AD
Thank you so much Nikos! -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] Sent: Friday, June 30, 2006 4:57 PM To: freeradius-users@lists.freeradius.org Cc: Егоров Сергей Subject: Re: FW: mpd+freeradius+AD On Friday 30 June 2006 11:57, Егоров Сергей wrote: Ok, this is my users file testAuth-Type := MS-CHAP Framed-IP-Address = 192.168.10.65 DEFAULT Auth-Type := MS-CHAP And this is freeradius log, then I connect to mpd via test account: Login OK: [test/no User-Password attribute] (from client localhost port 0 cli 192.168.12.126) Sending Access-Accept of id 121 to 127.0.0.1 port 49791 Framed-IP-Address = 192.168.10.65 MS-CHAP2-Success = 0x01533d424543343039384343413934433832344138443146393830364138413345323 6394441413430 MS-MPPE-Recv-Key = 0x0bbdc1d49670112e799bd5a86b084808 MS-MPPE-Send-Key = 0x0df81127464f94a443c13e7e683f5251 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 rad_recv: Accounting-Request packet from host 127.0.0.1:54511, id=119, length=139 NAS-Identifier = testradius.ion.ru NAS-Port = 0 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 192.168.12.126 User-Name = test Framed-IP-Address = 192.168.10.12 Acct-Status-Type = Start Acct-Session-Id = 1652038-pptp0 Acct-Multi-Session-Id = 1652038-pptp0 Acct-Link-Count = 1 Acct-Authentic = RADIUS Sending Accounting-Response of id 119 to 127.0.0.1 port 54511 In this log freeradius said that account test OK, and his address 192.168.10.65. But mpd replace it this his own. How could I improve it? use radius-ip read more here /usr/local/share/doc/mpd/mpd22.html -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] Sent: Thursday, June 29, 2006 7:05 PM To: Undisclosed.Recipients : Cc: Егоров Сергей Subject: Re: FW: mpd+freeradius+AD On Thursday 29 June 2006 15:28, Егоров Сергей wrote: This is Framed-IP-Address in radius dialect. Thanks for explaining freeradius basic concepts. I understood, that to assign IP to user I should use users freeradius file. But I couldn't configure it correctly. Now I have only one line in this file DEFAULT Auth-Type := MS-CHAP I've add another string (for user test), but it doesn't correct test Auth-Type := MS-CHAP, Try without the comma run the server in debug mode(radiusd -X) and use radclient Framed-IP-Address = 192.168.10.65, I think you can put this in AD. Don't know... That should I fix? -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 5:09 PM To: freeradius-users@lists.freeradius.org Cc: Егоров Сергей Subject: Re: mpd+freeradius+AD On Monday 26 June 2006 14:04, Егоров Сергей wrote: Thanks for reply. You can use one of the three firewalls avaliable in the base system(ipfw, ipf and pf), however mpd comes with a small dictionary that uses ipfw(8) and you can easily define some filter bound to an interface (bound to a username) via a radius reply attribute, let filter be a pipe(for bandwidth control) or a packet filtering expression. That's fine for filtering vpn users access to local net. But how could I assign specific IP for specific user in AD? Your questions don't clearly tell where your problem is. Active Directory? mpd? or FreeRADIUS? You should define them better in order to get help from the list. My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN 2003 can do 1 and 2 in my questions, so I have to realize how to setup this in mpd + freeradius. I already authenticate users from AD group: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=EXAMPLE+VPN_Allowed. But I have several vpn groups and need to setup timeouts on each one. setup timeout? This looks like Session-Timeout in radius dialect. Also I need to I assign specific IP for specific user in AD. This is Framed-IP-Address in radius dialect. Looks like FreeRadius should respond for this. Yes, you have to have basic understanding of what radius is. All of these are very basic setup. I don't know how FreeRADIUS interacts with AD and what info it should get from AD. So, try searching (or asking) for active directory and FreeRADIUS. Keep the mpd part out of it, since it will add unneeded complexity. Or perhaps start from setting up mpd and FreeRADIUS. And then you could add AD. A few suggestions, Nikos - List info/subscribe/unsubscribe? See http
RE: FW: mpd+freeradius+AD
Title: RE: FW: mpd+freeradius+AD Ok, this is my users file test Auth-Type := MS-CHAP Framed-IP-Address = 192.168.10.65 DEFAULT Auth-Type := MS-CHAP And this is freeradius log, then I connect to mpd via test account: Login OK: [test/no User-Password attribute] (from client localhost port 0 cli 192.168.12.126) Sending Access-Accept of id 121 to 127.0.0.1 port 49791 Framed-IP-Address = 192.168.10.65 MS-CHAP2-Success = 0x01533d4245433430393843434139344338323441384431463938303641384133453236394441413430 MS-MPPE-Recv-Key = 0x0bbdc1d49670112e799bd5a86b084808 MS-MPPE-Send-Key = 0x0df81127464f94a443c13e7e683f5251 MS-MPPE-Encryption-Policy = 0x0002 MS-MPPE-Encryption-Types = 0x0004 rad_recv: Accounting-Request packet from host 127.0.0.1:54511, id=119, length=139 NAS-Identifier = testradius.ion.ru NAS-Port = 0 NAS-Port-Type = Virtual Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 192.168.12.126 User-Name = test Framed-IP-Address = 192.168.10.12 Acct-Status-Type = Start Acct-Session-Id = 1652038-pptp0 Acct-Multi-Session-Id = 1652038-pptp0 Acct-Link-Count = 1 Acct-Authentic = RADIUS Sending Accounting-Response of id 119 to 127.0.0.1 port 54511 In this log freeradius said that account test OK, and his address 192.168.10.65. But mpd replace it this his own. How could I improve it? -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 29, 2006 7:05 PM To: Undisclosed.Recipients : Cc: Егоров Сергей Subject: Re: FW: mpd+freeradius+AD On Thursday 29 June 2006 15:28, Егоров Сергей wrote: This is Framed-IP-Address in radius dialect. Thanks for explaining freeradius basic concepts. I understood, that to assign IP to user I should use users freeradius file. But I couldn't configure it correctly. Now I have only one line in this file DEFAULT Auth-Type := MS-CHAP I've add another string (for user test), but it doesn't correct test Auth-Type := MS-CHAP, Try without the comma run the server in debug mode(radiusd -X) and use radclient Framed-IP-Address = 192.168.10.65, I think you can put this in AD. Don't know... That should I fix? -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]] Sent: Monday, June 26, 2006 5:09 PM To: freeradius-users@lists.freeradius.org Cc: Егоров Сергей Subject: Re: mpd+freeradius+AD On Monday 26 June 2006 14:04, Егоров Сергей wrote: Thanks for reply. You can use one of the three firewalls avaliable in the base system(ipfw, ipf and pf), however mpd comes with a small dictionary that uses ipfw(8) and you can easily define some filter bound to an interface (bound to a username) via a radius reply attribute, let filter be a pipe(for bandwidth control) or a packet filtering _expression_. That's fine for filtering vpn users access to local net. But how could I assign specific IP for specific user in AD? Your questions don't clearly tell where your problem is. Active Directory? mpd? or FreeRADIUS? You should define them better in order to get help from the list. My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN 2003 can do 1 and 2 in my questions, so I have to realize how to setup this in mpd + freeradius. I already authenticate users from AD group: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=EXAMPLE+VPN_Allowed. But I have several vpn groups and need to setup timeouts on each one. setup timeout? This looks like Session-Timeout in radius dialect. Also I need to I assign specific IP for specific user in AD. This is Framed-IP-Address in radius dialect. Looks like FreeRadius should respond for this. Yes, you have to have basic understanding of what radius is. All of these are very basic setup. I don't know how FreeRADIUS interacts with AD and what info it should get from AD. So, try searching (or asking) for active directory and FreeRADIUS. Keep the mpd part out of it, since it will add unneeded complexity. Or perhaps start from setting up mpd and FreeRADIUS. And then you could add AD. A few suggestions, Nikos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: mpd+freeradius+AD
This is Framed-IP-Address in radius dialect. Thanks for explaining freeradius basic concepts. I understood, that to assign IP to user I should use users freeradius file. But I couldn't configure it correctly. Now I have only one line in this file DEFAULT Auth-Type := MS-CHAP I've add another string (for user test), but it doesn't correct test Auth-Type := MS-CHAP, Framed-IP-Address = 192.168.10.65, That should I fix? -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 5:09 PM To: freeradius-users@lists.freeradius.org Cc: Егоров Сергей Subject: Re: mpd+freeradius+AD On Monday 26 June 2006 14:04, Егоров Сергей wrote: Thanks for reply. You can use one of the three firewalls avaliable in the base system(ipfw, ipf and pf), however mpd comes with a small dictionary that uses ipfw(8) and you can easily define some filter bound to an interface (bound to a username) via a radius reply attribute, let filter be a pipe(for bandwidth control) or a packet filtering expression. That's fine for filtering vpn users access to local net. But how could I assign specific IP for specific user in AD? Your questions don't clearly tell where your problem is. Active Directory? mpd? or FreeRADIUS? You should define them better in order to get help from the list. My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN 2003 can do 1 and 2 in my questions, so I have to realize how to setup this in mpd + freeradius. I already authenticate users from AD group: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=EXAMPLE+VPN_Allowed. But I have several vpn groups and need to setup timeouts on each one. setup timeout? This looks like Session-Timeout in radius dialect. Also I need to I assign specific IP for specific user in AD. This is Framed-IP-Address in radius dialect. Looks like FreeRadius should respond for this. Yes, you have to have basic understanding of what radius is. All of these are very basic setup. I don't know how FreeRADIUS interacts with AD and what info it should get from AD. So, try searching (or asking) for active directory and FreeRADIUS. Keep the mpd part out of it, since it will add unneeded complexity. Or perhaps start from setting up mpd and FreeRADIUS. And then you could add AD. A few suggestions, Nikos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mpd+freeradius+AD
This is Framed-IP-Address in radius dialect. Thanks for explaining freeradius basic concepts. I understood, that to assign IP to user I should use users freeradius file. But I couldn't configure it correctly. Now I have only one line in this file DEFAULT Auth-Type := MS-CHAP I've add another string (for user test), but it doesn't correct test Auth-Type := MS-CHAP, Framed-IP-Address = 192.168.10.65, Fall-Through = Yes That should I fix? -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 5:09 PM To: freeradius-users@lists.freeradius.org Cc: Егоров Сергей Subject: Re: mpd+freeradius+AD On Monday 26 June 2006 14:04, Егоров Сергей wrote: Thanks for reply. You can use one of the three firewalls avaliable in the base system(ipfw, ipf and pf), however mpd comes with a small dictionary that uses ipfw(8) and you can easily define some filter bound to an interface (bound to a username) via a radius reply attribute, let filter be a pipe(for bandwidth control) or a packet filtering expression. That's fine for filtering vpn users access to local net. But how could I assign specific IP for specific user in AD? Your questions don't clearly tell where your problem is. Active Directory? mpd? or FreeRADIUS? You should define them better in order to get help from the list. My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN 2003 can do 1 and 2 in my questions, so I have to realize how to setup this in mpd + freeradius. I already authenticate users from AD group: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=EXAMPLE+VPN_Allowed. But I have several vpn groups and need to setup timeouts on each one. setup timeout? This looks like Session-Timeout in radius dialect. Also I need to I assign specific IP for specific user in AD. This is Framed-IP-Address in radius dialect. Looks like FreeRadius should respond for this. Yes, you have to have basic understanding of what radius is. All of these are very basic setup. I don't know how FreeRADIUS interacts with AD and what info it should get from AD. So, try searching (or asking) for active directory and FreeRADIUS. Keep the mpd part out of it, since it will add unneeded complexity. Or perhaps start from setting up mpd and FreeRADIUS. And then you could add AD. A few suggestions, Nikos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mpd+freeradius+AD
Hi all! I have completed setup of mpd+freeradius+AD 2003. Now my users authenticating from Active Directory, if they are members of specific group. But I still have some questions: How to make a different timeouts for different groups in AD How to appoint special IP for special users How to restrict users to access only to defined IP in my network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mpd+freeradius+AD
Thanks for reply. You can use one of the three firewalls avaliable in the base system(ipfw, ipf and pf), however mpd comes with a small dictionary that uses ipfw(8) and you can easily define some filter bound to an interface (bound to a username) via a radius reply attribute, let filter be a pipe(for bandwidth control) or a packet filtering expression. That's fine for filtering vpn users access to local net. But how could I assign specific IP for specific user in AD? Your questions don't clearly tell where your problem is. Active Directory? mpd? or FreeRADIUS? You should define them better in order to get help from the list. My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN 2003 can do 1 and 2 in my questions, so I have to realize how to setup this in mpd + freeradius. I already authenticate users from AD group: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --require-membership-of=EXAMPLE+VPN_Allowed. But I have several vpn groups and need to setup timeouts on each one. Also I need to I assign specific IP for specific user in AD. Looks like FreeRadius should respond for this. -Original Message- From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED] Sent: Monday, June 26, 2006 2:22 PM To: freeradius-users@lists.freeradius.org Cc: Егоров Сергей Subject: Re: mpd+freeradius+AD On Monday 26 June 2006 09:55, Егоров Сергей wrote: Hi all! I have completed setup of mpd+freeradius+AD 2003. Now my users authenticating from Active Directory, if they are members of specific group. But I still have some questions: 1.How to make a different timeouts for different groups in AD 2.How to appoint special IP for special users 3.How to restrict users to access only to defined IP in my network You can use one of the three firewalls avaliable in the base system(ipfw, ipf and pf), however mpd comes with a small dictionary that uses ipfw(8) and you can easily define some filter bound to an interface (bound to a username) via a radius reply attribute, let filter be a pipe(for bandwidth control) or a packet filtering expression. So, if you want different rules for different usernames ipfw is the sensible packet filter to use. You can find the radius section of mpd, here: http://www.bretterklieber.com/mpd/doc4/mpd28.html Your questions don't clearly tell where your problem is. Active Directory? mpd? or FreeRADIUS? You should define them better in order to get help from the list. HTH a bit, Nikos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mpd+freeradius+AD
Hi all! I have completed setup of mpd+freeradius+AD 2003. Now my users authenticating from Active Directory, if they are members of specific group. But I still have some questions: How to make a different timeouts for different groups in AD How to appoint special IP for special users How to restrict users to access only to defined IP in my network - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html