(no subject)
unsubscribe This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireless - freeradius - MS ldap
Can you send the results of your success login using ldapsearch? Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: > >[EMAIL PROTECTED] > >org > >[mailto:[EMAIL PROTECTED] > >eradius.org] On Behalf Of Dickson, John > >Sent: January 4, 2006 2:20 PM > >To: FreeRadius users mailing list > >Subject: RE: wireless - freeradius - MS ldap > > > >Sorry, it was a failed attempt at not sending the REAL data. > >I have verified that the ldapsearch credentials are the > >credentials used in the radiusd.conf. The user has been verified. > > > >I did have to add the details after the @ sign (using ldap search). > >Applying the same details in the radiusd.conf file and I > >still do not pass auth to the Windowz ldap. My thoughts are > >that it has something to do with "realm" section. > > > >John > > > >Using the credentials under the ldap settings for the > >radiusd.conf and cli with ldapsearch, ldapsearch produces results > > > >-Original Message- > >From: > >[EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] > >reeradius.o > >rg] On Behalf Of Alan DeKok > >Sent: Wednesday, January 04, 2006 3:36 PM > >To: FreeRadius users mailing list > >Subject: Re: wireless - freeradius - MS ldap > > > >"Dickson, John" <[EMAIL PROTECTED]> wrote: > >> Here is my ldap section: > >> > >> ldap { > >>server = "10.1.1.29" > >>identity = dmadmin1 > >>password = [EMAIL PROTECTED] > > ... > > > >> This seeems to work: > >> > >> [EMAIL PROTECTED] ~]$ ldapsearch -LLL -h > >name.serverdm.domain.edu -x -b > >> 'ou=Users,dc=name,dc=serverdm,dc=domain,dc=edu' -D > >> [EMAIL PROTECTED] -w Passw0rd > > > > Hmm... did you use the same user/password information as > >the ldap config to do the ldapsearch? > > > > Nope. > > > > Are you surprised that the results are different from what > >FreeRADIUS sees? If so, why? > > > > Alan DeKok. > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireless - freeradius - MS ldap
> >-Original Message- > >From: > >[EMAIL PROTECTED] > >org > >[mailto:[EMAIL PROTECTED] > >eradius.org] On Behalf Of Dickson, John > >Sent: January 4, 2006 11:32 AM > >To: FreeRadius users mailing list > >Subject: RE: wireless - freeradius - MS ldap > > > > Here is my ldap section: > > > >ldap { > > server = "10.1.1.29" > > identity = dmadmin1 > > password = [EMAIL PROTECTED] > > basedn = "dc=ssotest,dc=mccsso,dc=mccneb,dc=edu" > > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > > # base_filter = "(objectclass=radiusprofile)" > > > > # set this to 'yes' to use TLS encrypted connections > > # to the LDAP database by using the StartTLS extended > > # operation. > > # The StartTLS operation is supposed to be used with > >normal > > # ldap connections instead of using ldaps (port 689) > >connections > > start_tls = no > > > > # tls_cacertfile= /path/to/cacert.pem > > # tls_cacertdir = /path/to/ca/dir/ > > # tls_certfile = /path/to/radius.crt > > # tls_keyfile = /path/to/radius.key > > # tls_randfile = /path/to/rnd > > # tls_require_cert = "demand" > > > > # default_profile = "cn=radprofile,ou=dialup,o=My > >Org,c=UA" > > # profile_attribute = "radiusProfileDn" > > access_attr = "dialupAccess" > > > > # Mapping of RADIUS dictionary attributes to LDAP > > # directory attributes. > > dictionary_mapping = ${raddbdir}/ldap.attrmap > > > > ldap_connections_number = 5 > > > > # > > # NOTICE: The password_header directive is NOT case > >insensitive > > # > > # password_header = "{clear}" > > # > > # Set: > > # password_attribute = nspmPassword > > # > > # to get the user's password from a Novell eDirectory > > # backend. This will work *only if* freeRADIUS is > > # configured to build with --with-edir option. > > # > > # > > # The server can usually figure this out on its own, > >and pull > > # the correct User-Password or NT-Password from the > >database. > > # > > # Note that NT-Passwords MUST be stored as a 32-digit > >hex > > # string, and MUST start off with "0x", such as: > > # > > # 0x000102030405060708090a0b0c0d0e0f > > # > > # Without the leading "0x", NT-Passwords will not work. > > # This goes for NT-Passwords stored in SQL, too. > > # > > # password_attribute = userPassword > > # > > # Un-comment the following to disable Novell eDirectory > >account > > # policy check and intruder detection. This will work > >*only if* > > # FreeRADIUS is configured to build with --with-edir > >option. > > # > > # edir_account_policy_check=no > > # > > # groupname_attribute = cn > > # groupmembership_filter = > >"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obj > >ectClass=Gr > >oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" > > # groupmembership_attribute = radiusGroupName > > timeout = 4 > > timelimit = 3 > > net_timeout = 1 > > # compare_check_items = yes > > # do_xlat = yes > > # access_attr_used_for_allow = yes > > } > > > > > >Verify first that you can infact query Active Directory with this > >username/password combination. > > > >There is a utility called ldapsearch. I believe it comes > >with OpenLDAP. > >Use that to directly query AD for verification. > > > >Here is an example: > > > >ldapsearch -LLL -h name.serverdm.domain.edu -x -b > >'dc=domain,dc=com''(samaccountname=powerful)' -D powerful > >-w userspass > > > >This seeems to work: > > > >[EMAIL PROTECTED] ~]$ ldapsearch -LLL -h name.serverdm.domain.edu -x -b > >'ou=Users,dc=name,dc=serverdm,dc=domain,dc=edu' -D > >[EMAIL PROTECTED] -w Passw0rd > >No such object (32) > >Matched DN: DC=serverdm,DC=domain,DC=edu > >Additional information: 208D: NameErr: DSID-031001CD, > >problem 2001 > >(NO_OBJECT), data 0, best match of: > >'DC=serverdm,DC=domain,DC=edu' Nope. That didn't work. Please read up on ldapsearch "man ldapsearch". Until you can CAN verify that the username/password is correct, it won't do you any good messing with FreeRADIUS > > > > > >What does your "ldap" section in radiusd.conf look like? Can > >you please > >provide copy? > > > > > >This will make sure that the credentials are correct or not. > > > > > >- > >List info/subscribe/unsubscribe
RE: wireless - freeradius - MS ldap
> >-Original Message- > >From: > >[EMAIL PROTECTED] > >org > >[mailto:[EMAIL PROTECTED] > >eradius.org] On Behalf Of Dickson, John > >Sent: January 4, 2006 9:27 AM > >To: FreeRadius users mailing list > >Subject: RE: wireless - freeradius - MS ldap > > > >Here is the output of my RADIUS server. I verfied the > >account on the LDAP server as a domain admin > > > >rad_recv: Access-Request packet from host 10.1.1.27:32773, id=254, > >length=59 > >--- Walking the entire request list --- > >Waking up in 31 seconds... > >Threads: total/active/spare threads = 5/0/5 Thread 1 got > >semaphore Thread 1 handling request 0, (1 handled so far) > >User-Name = "radtest" > >User-Password = "Passw0rd" > >NAS-IP-Address = 255.255.255.255 > >NAS-Port = 0 > > Processing the authorize section of radiusd.conf > >modcall: entering group authorize for request 0 > > modcall[authorize]: module "preprocess" returns ok for request 0 > > modcall[authorize]: module "chap" returns noop for request 0 > > modcall[authorize]: module "mschap" returns noop for request 0 > >rlm_realm: No '@' in User-Name = "radtest", looking up realm NULL > >rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 0 > > rlm_eap: No EAP-Message, not doing EAP > > modcall[authorize]: module "eap" returns noop for request 0 > >users: Matched entry DEFAULT at line 152 > > modcall[authorize]: module "files" returns ok for request 0 > >rlm_ldap: - authorize > >rlm_ldap: performing user authorization for radtest > >radius_xlat: '(uid=radtest)' > >radius_xlat: 'ou=Local Users,dc=name,dc=serverdm,dc=domain,dc=edu' > >rlm_ldap: ldap_get_conn: Checking Id: 0 > >rlm_ldap: ldap_get_conn: Got Id: 0 > >rlm_ldap: attempting LDAP reconnection > >rlm_ldap: (re)connect to name.serverdm.domain.edu:389, Can you resolve name.serverdm.domain.edu successfully? Please verify that too. > >authentication 0 > >rlm_ldap: bind as powerful/userspass to name.serverdm.domain.edu:389 > >rlm_ldap: waiting for bind result ... > >rlm_ldap: LDAP login failed: check identity, password Verify first that you can infact query Active Directory with this username/password combination. There is a utility called ldapsearch. I believe it comes with OpenLDAP. Use that to directly query AD for verification. Here is an example: ldapsearch -LLL -h name.serverdm.domain.edu -x -b 'dc=domain,dc=com''(samaccountname=powerful)' -D powerful -w userspass What does your "ldap" section in radiusd.conf look like? Can you please provide copy? This will make sure that the credentials are correct or not. > >settings in ldap section of radiusd.conf > >rlm_ldap: (re)connection attempt failed > >rlm_ldap: search failed > >rlm_ldap: ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns fail for request 0 > >modcall: group authorize returns fail for request 0 There > >was no response configured: rejecting request 0 Server > >rejecting request 0. > >Finished request 0 > >Going to the next request > >Thread 1 waiting to be assigned a request > >rad_recv: Access-Request packet from host 10.1.1.27:32773, id=254, > >length=59 > >Sending Access-Reject of id 254 to 10.1.1.27:32773 > >--- Walking the entire request list --- > >Waking up in 3 seconds... > >--- Walking the entire request list --- > >Cleaning up request 0 ID 254 with timestamp 43bbea42 Nothing > >to do. Sleeping until we see a request. > > > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireless - freeradius - MS ldap
John, People are *trying* to help you but you helping us help you. Please follow these steps and produce the output: And please don't say *I have already sent it*... - Run "radiusd -X -A" on the FreeRADIUS server - Run "radtest radtest Passw0rd localhost 1 testing123" Now copy and paste the response from FreeRADIUS. The setup you are trying to achieve WORKS. I have tried it before and does work. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: > >[EMAIL PROTECTED] > >org > >[mailto:[EMAIL PROTECTED] > >eradius.org] On Behalf Of Dickson, John > >Sent: January 3, 2006 12:44 PM > >To: FreeRadius users mailing list > >Subject: RE: wireless - freeradius - MS ldap > > > >I am sorry. I received a request for the data I had already > >sent, and I ran the tests too. I will refrain. > > > >John > > > >-Original Message- > >From: > >[EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] > >reeradius.o > >rg] On Behalf Of Alan DeKok > >Sent: Tuesday, January 03, 2006 2:17 PM > >To: FreeRadius users mailing list > >Subject: Re: wireless - freeradius - MS ldap > > > >"Dickson, John" <[EMAIL PROTECTED]> wrote: > >> I sent this out earlier. > > > > Ah. Having been told that what you sent earlier is > >inadequate, your response is to re-send it. > > > > It's OK that you're a beginner. It's *not* OK to not read > >the FAQ or documentation which describe exactly how to test > >the server. > > > > Alan DeKok. > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireless - freeradius - MS ldap
Send the output ***DURING*** authentication The information you are sending is useless to anyone. We are interested in what the server is saying during authentication. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: > >[EMAIL PROTECTED] > >org > >[mailto:[EMAIL PROTECTED] > >eradius.org] On Behalf Of Dickson, John > >Sent: January 3, 2006 11:41 AM > >To: FreeRadius users mailing list > >Subject: RE: wireless - freeradius - MS ldap > > > >I sent this out earlier. > >John > > > >[EMAIL PROTECTED] john]# /usr/local/sbin/radiusd -X -A > >Starting - reading configuration files ... > >reread_config: reading radiusd.conf > >Config: including file: /etc/raddb/clients.conf > >Config: including file: /etc/raddb/snmp.conf > >Config: including file: /etc/raddb/eap.conf > >Config: including file: /etc/raddb/sql.conf > > main: prefix = "/usr" > > main: localstatedir = "/var" > > main: logdir = "/var/log/radius" > > main: libdir = "/usr/lib" > > main: radacctdir = "/var/log/radius/radacct" > > main: hostname_lookups = no > > main: max_request_time = 30 > > main: cleanup_delay = 5 > > main: max_requests = 1024 > > main: delete_blocked_requests = 0 > > main: port = 0 > > main: allow_core_dumps = no > > main: log_stripped_names = no > > main: log_file = "/var/log/radius/radius.log" > > main: log_auth = no > > main: log_auth_badpass = no > > main: log_auth_goodpass = no > > main: pidfile = "/var/run/radiusd/radiusd.pid" > > main: user = "nobody" > > main: group = "nobody" > > main: usercollide = no > > main: lower_user = "no" > > main: lower_pass = "no" > > main: nospace_user = "no" > > main: nospace_pass = "no" > > main: checkrad = "/usr/sbin/checkrad" > > main: proxy_requests = yes > > security: max_attributes = 200 > > security: reject_delay = 1 > > security: status_server = no > > main: debug_level = 0 > >read_config_files: reading dictionary > >read_config_files: reading naslist > >Using deprecated naslist file. Support for this will go away soon. > >read_config_files: reading clients > >read_config_files: reading realms > >radiusd: entering modules setup > >Module: Library search path is /usr/lib > >Module: Loaded exec > > exec: wait = yes > > exec: program = "(null)" > > exec: input_pairs = "request" > > exec: output_pairs = "(null)" > > exec: packet_type = "(null)" > >rlm_exec: Wait=yes but no output defined. Did you mean output=none? > >Module: Instantiated exec (exec) > >Module: Loaded expr > >Module: Instantiated expr (expr) > >Module: Loaded LDAP > > ldap: server = "ssotest.mccsso.mccneb.edu" > > ldap: port = 389 > > ldap: net_timeout = 1 > > ldap: timeout = 4 > > ldap: timelimit = 3 > > ldap: identity = "dmadmin1"" > > ldap: tls_mode = no > > ldap: start_tls = no > > ldap: tls_cacertfile = "(null)" > > ldap: tls_cacertdir = "(null)" > > ldap: tls_certfile = "(null)" > > ldap: tls_keyfile = "(null)" > > ldap: tls_randfile = "(null)" > > ldap: tls_require_cert = "allow" > > ldap: password = "[EMAIL PROTECTED]" > > ldap: basedn = "ou=Metro users,dc=mccsso,dc=mccneb,dc=edu" > > ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > > ldap: base_filter = "(objectclass=radiusprofile)" > > ldap: default_profile = "(null)" > > ldap: profile_attribute = "(null)" > > ldap: password_header = "(null)" > > ldap: password_attribute = "(null)" > > ldap: access_attr = "dialupAccess" > > ldap: groupname_attribute = "cn" > > ldap: groupmembership_filter = > >"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obj > >ectClass=Gr > >oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" > > ldap: groupmembership_attribute = "(null)" > > ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" > > ldap: ldap_debug = 0 > > ldap: ldap_connections_number = 5 > > ldap: compare_check_items = no > > ldap: access_attr_used_for_allow = yes > > ldap: do_xlat = yes > >rlm_ldap: Registering ldap_groupcmp for Ldap-Group &
RE: wireless - freeradius - MS ldap
John, Just run "radiusd -X -A" on the FreeRADIUS server and then try athenticating against it. You should see a lot of debug information. Send the output to the list.that would be more helpful. Thanks, Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: > >[EMAIL PROTECTED] > >org > >[mailto:[EMAIL PROTECTED] > >eradius.org] On Behalf Of Dickson, John > >Sent: January 3, 2006 10:58 AM > >To: FreeRadius users mailing list > >Subject: RE: wireless - freeradius - MS ldap > > > >I don't know. Ithought I was sending enouhg information. > > > >I was using this link to setup...it's my first. > >http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/radius.html > > > >What is confusing me is where configuration is applied to > >receive requests (cisco router) and where applied to pass > >requests (MS ldap). > > > >-Original Message- > >From: > >[EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] > >reeradius.o > >rg] On Behalf Of Alan DeKok > >Sent: Tuesday, January 03, 2006 11:55 AM > >To: FreeRadius users mailing list > >Subject: Re: wireless - freeradius - MS ldap > > > >"Dickson, John" <[EMAIL PROTECTED]> wrote: > >> OK. In the radius.conf under module configuration I have "ldap" > >> information pointing to the LDAP server and the > >authentication fails. > > > > The debug log you posted doesn't show that. In fact, it > >shows pretty much nothing useful. You've taken care to > >*not* show the results from radtest, so all anyone can see is: > > > > a) your radius server starts > > b) radtest sends packets. > > > > They don't see: > > > > c) radiusd *receiving* packets > > d) radtest receiving a response > > > > How the heck can anyone help you without that information? > > > > Alan DeKok. > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: wireless - freeradius - MS ldap
Where is the rest of the debug output from the radius server? That portion would be more helpful in trying to determine the problem... Thanks, Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: > >[EMAIL PROTECTED] > >org > >[mailto:[EMAIL PROTECTED] > >eradius.org] On Behalf Of Dickson, John > >Sent: January 3, 2006 9:03 AM > >To: FreeRadius users mailing list > >Subject: RE: wireless - freeradius - MS ldap > > > >OK. In the radius.conf under module configuration I have "ldap" > >information pointing to the LDAP server and the authentication fails. > >First I run: > > /usr/local/sbin/radiusd -X -A > >With: > > > >[EMAIL PROTECTED] john]# /usr/local/sbin/radiusd -X -A > >Starting - reading configuration files ... > >reread_config: reading radiusd.conf > >Config: including file: /etc/raddb/clients.conf > >Config: including file: /etc/raddb/snmp.conf > >Config: including file: /etc/raddb/eap.conf > >Config: including file: /etc/raddb/sql.conf > > main: prefix = "/usr" > > main: localstatedir = "/var" > > main: logdir = "/var/log/radius" > > main: libdir = "/usr/lib" > > main: radacctdir = "/var/log/radius/radacct" > > main: hostname_lookups = no > > main: max_request_time = 30 > > main: cleanup_delay = 5 > > main: max_requests = 1024 > > main: delete_blocked_requests = 0 > > main: port = 0 > > main: allow_core_dumps = no > > main: log_stripped_names = no > > main: log_file = "/var/log/radius/radius.log" > > main: log_auth = no > > main: log_auth_badpass = no > > main: log_auth_goodpass = no > > main: pidfile = "/var/run/radiusd/radiusd.pid" > > main: user = "nobody" > > main: group = "nobody" > > main: usercollide = no > > main: lower_user = "no" > > main: lower_pass = "no" > > main: nospace_user = "no" > > main: nospace_pass = "no" > > main: checkrad = "/usr/sbin/checkrad" > > main: proxy_requests = yes > > security: max_attributes = 200 > > security: reject_delay = 1 > > security: status_server = no > > main: debug_level = 0 > >read_config_files: reading dictionary > >read_config_files: reading naslist > >Using deprecated naslist file. Support for this will go away soon. > >read_config_files: reading clients > >read_config_files: reading realms > >radiusd: entering modules setup > >Module: Library search path is /usr/lib > >Module: Loaded exec > > exec: wait = yes > > exec: program = "(null)" > > exec: input_pairs = "request" > > exec: output_pairs = "(null)" > > exec: packet_type = "(null)" > >rlm_exec: Wait=yes but no output defined. Did you mean output=none? > >Module: Instantiated exec (exec) > >Module: Loaded expr > >Module: Instantiated expr (expr) > >Module: Loaded LDAP > > ldap: server = "ssotest.mccsso.mccneb.edu" > > ldap: port = 389 > > ldap: net_timeout = 1 > > ldap: timeout = 4 > > ldap: timelimit = 3 > > ldap: identity = "dmadmin1"" > > ldap: tls_mode = no > > ldap: start_tls = no > > ldap: tls_cacertfile = "(null)" > > ldap: tls_cacertdir = "(null)" > > ldap: tls_certfile = "(null)" > > ldap: tls_keyfile = "(null)" > > ldap: tls_randfile = "(null)" > > ldap: tls_require_cert = "allow" > > ldap: password = "[EMAIL PROTECTED]" > > ldap: basedn = "ou=Metro users,dc=mccsso,dc=mccneb,dc=edu" > > ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > > ldap: base_filter = "(objectclass=radiusprofile)" > > ldap: default_profile = "(null)" > > ldap: profile_attribute = "(null)" > > ldap: password_header = "(null)" > > ldap: password_attribute = "(null)" > > ldap: access_attr = "dialupAccess" > > ldap: groupname_attribute = "cn" > > ldap: groupmembership_filter = > >"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obj > >ectClass=Gr > >oupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" > > ldap: groupmembership_attribute = "(null)" > > ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap" > > ldap: ldap_debug = 0 > > ldap: ldap_connections_number = 5 > > ldap: co
RE: Freeradius probleming help me
Which port is your Dlink switch sending radius packet to? Most "new" devices use 1812 instead of 1645. Please investigate that first... If the Dlink is sending to port 1812, then just make sure you have "port = 0" in the radiusd.conf file. This will take care of that problem. Both devices have to be talking through the same port. Hope that helps. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: > >[EMAIL PROTECTED] > >org > >[mailto:[EMAIL PROTECTED] > >eradius.org] On Behalf Of Kai Geek > >Sent: January 3, 2006 12:10 AM > >To: freeradius-users@lists.freeradius.org > >Subject: Freeradius probleming help me > > > >Hello, > > > >[EMAIL PROTECTED]:/etc/raddb# radiusd -p 1645 > >Ignoring deprecated command-line option -pTue Jan 3 > >10:06:51 2006 : Info: Starting - reading configuration files ... > > > >why problem on radiusd ? > > > >[EMAIL PROTECTED]:/etc/raddb# radiusd -X > >Starting - reading configuration files ... > >reread_config: reading radiusd.conf > >Config: including file: /etc/raddb/clients.conf > >Config: including file: /etc/raddb/eap.conf > >Config: including file: /etc/raddb/sql.conf > > main: prefix = "/usr/local" > > main: localstatedir = "/var" > > main: logdir = "/var/log/radius" > > main: libdir = "/usr/local/lib" > > main: radacctdir = "/var/log/radius/radacct" > > main: hostname_lookups = no > > main: max_request_time = 30 > > main: cleanup_delay = 5 > > main: max_requests = 1024 > > main: delete_blocked_requests = 0 > > main: port = 1645 > > main: allow_core_dumps = no > > main: log_stripped_names = no > > main: log_file = "/var/log/radius/radius.log" > > main: log_auth = yes > > main: log_auth_badpass = no > > main: log_auth_goodpass = no > > main: pidfile = "/var/run/radiusd/radiusd.pid" > > main: bind_address = 10.0.0.6 IP address [10.0.0.6] > > main: user = "root" > > main: group = "(null)" > > main: usercollide = no > > main: lower_user = "no" > > main: lower_pass = "no" > > main: nospace_user = "no" > > main: nospace_pass = "no" > > main: checkrad = "/usr/local/sbin/checkrad" > > main: proxy_requests = yes > > security: max_attributes = 200 > > security: reject_delay = 1 > > security: status_server = no > > main: debug_level = 0 > >read_config_files: reading dictionary > >read_config_files: reading naslist > >Using deprecated naslist file. Support for this will go away soon. > >read_config_files: reading clients > >read_config_files: reading realms > >radiusd: entering modules setup > >Module: Library search path is /usr/local/lib > >Module: Loaded exec > > exec: wait = yes > > exec: program = "(null)" > > exec: input_pairs = "request" > > exec: output_pairs = "(null)" > > exec: packet_type = "(null)" > >rlm_exec: Wait=yes but no output defined. Did you mean output=none? > >Module: Instantiated exec (exec) > >Module: Loaded expr > >Module: Instantiated expr (expr) > >Module: Loaded PAP > > pap: encryption_scheme = "crypt" > >Module: Instantiated pap (pap) > >Module: Loaded CHAP > >Module: Instantiated chap (chap) > >Module: Loaded MS-CHAP > > mschap: use_mppe = yes > > mschap: require_encryption = no > > mschap: require_strong = no > > mschap: with_ntdomain_hack = no > > mschap: passwd = "(null)" > > mschap: authtype = "MS-CHAP" > > mschap: ntlm_auth = "(null)" > >Module: Instantiated mschap (mschap) > >Module: Loaded DIGEST > >Module: Instantiated digest (digest) > >Module: Loaded System > > unix: cache = no > > unix: passwd = "(null)" > > unix: shadow = "(null)" > > unix: group = "(null)" > > unix: radwtmp = "/var/log/radius/radwtmp" > > unix: usegroup = no > > unix: cache_reload = 600 > >Module: Instantiated unix (unix) > >Module: Loaded eap > > eap: default_eap_type = "md5" > > eap: timer_expire = 60 > > eap: ignore_unknown_eap_types = no > > eap: cisco_accounting_username_bug = no > >rlm_eap: Loaded and initialized type md5 > >rlm_eap: Loaded and initialized type leap > > gtc: challenge = "Password: " > > gtc: auth_type = "PAP" > >rlm_eap: L
RE: FreeRADIUS with PEAP problems
From: [EMAIL PROTECTED] on behalf of Alan DeKok Sent: Mon 1/2/2006 5:57 PM To: FreeRadius users mailing list Subject: Re: FreeRADIUS with PEAP problems "Alhagie Puye" <[EMAIL PROTECTED]> wrote: > Here is exactly what my eap.conf file looks like (I have removed every = > line that is commented) ... > tls { ... > peap { > default_eap_type =3D mschapv2 > } So you didn't just uncomment the "peap" section. You edited & re-arranged it. Your edits broke it. Yes, I didthe re-arranging part was completely unintentional. My apologies... :-( There's a simple solution: read the stock "eap.conf" again. Follow it's layout. It WORKS. Yes, you are absolutely right. It DOES work. Thanks for all your help Alhagie This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
Title: Re: FreeRADIUS with PEAP problems From: [EMAIL PROTECTED] on behalf of Alhagie PuyeSent: Mon 1/2/2006 3:43 PMTo: FreeRadius users mailing listSubject: RE: FreeRADIUS with PEAP problems From: [EMAIL PROTECTED] on behalf of Alan DeKokSent: Mon 1/2/2006 2:28 PMTo: FreeRadius users mailing listSubject: Re: FreeRADIUS with PEAP problems Ok, I found what the problem isthanks to Zoltan. The last "}" should have been before the "peap" section. I had accidentally placed the "peap" section inside the "tls" section. I have changed the eap.conf file to look like this now and it works fine. eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/freebsd.puyenet.com.pem certificate_file = ${raddbdir}/certs/freebsd.puyenet.com.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random } peap { default_eap_type = mschapv2 } mschapv2 { } } Thanks everybody that give me a hand. Alhagie. Thanks Alan for the reply. The "peap" section was already uncommented. Here is exactly what my eap.conf file looks like (I have removed every line that is commented) eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/freebsd.puyenet.com.pem certificate_file = ${raddbdir}/certs/freebsd.puyenet.com.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random peap { default_eap_type = mschapv2 } mschapv2 { } }} Thanks, Alhagie. "Alhagie Puye" <[EMAIL PROTECTED]> wrote:> rlm_eap: Loaded and initialized type tls> rlm_eap: No such sub-type for default EAP type peap Try reading eap.conf, and uncommenting the "peap" section. I'm not sure how to make that error message more descriptive, orupdate the comments in eap.conf so that people will *read* them. Alan DEKok. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
Title: Re: FreeRADIUS with PEAP problems From: [EMAIL PROTECTED] on behalf of Alan DeKokSent: Mon 1/2/2006 2:28 PMTo: FreeRadius users mailing listSubject: Re: FreeRADIUS with PEAP problems Thanks Alan for the reply. The "peap" section was already uncommented. Here is exactly what my eap.conf file looks like (I have removed every line that is commented) eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/freebsd.puyenet.com.pem certificate_file = ${raddbdir}/certs/freebsd.puyenet.com.pem CA_file = ${raddbdir}/certs/root.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random peap { default_eap_type = mschapv2 } mschapv2 { } }} Thanks, Alhagie. "Alhagie Puye" <[EMAIL PROTECTED]> wrote:> rlm_eap: Loaded and initialized type tls> rlm_eap: No such sub-type for default EAP type peap Try reading eap.conf, and uncommenting the "peap" section. I'm not sure how to make that error message more descriptive, orupdate the comments in eap.conf so that people will *read* them. Alan DEKok. -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
assword mapped to RADIUS LM-Passwordrlm_ldap: LDAP ntPassword mapped to RADIUS NT-Passwordrlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXTrlm_ldap: LDAP radiusExpiration mapped to RADIUS Expirationrlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Typerlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocolrlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Addressrlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmaskrlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Routerlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routingrlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Idrlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTUrlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compressionrlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Hostrlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Servicerlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Portrlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Numberrlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Idrlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Networkrlm_ldap: LDAP radiusClass mapped to RADIUS Classrlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeoutrlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeoutrlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Actionrlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Servicerlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Noderlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Grouprlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Linkrlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Networkrlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zonerlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limitrlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Portconns: 0x80b3780Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/freebsd.puyenet.com.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/freebsd.puyenet.com.pem" tls: CA_file = "/usr/local/etc/raddb/certs/root.pem" tls: private_key_password = "X" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)"rlm_eap: Loaded and initialized type tlsrlm_eap: No such sub-type for default EAP type peapradiusd.conf[9]: eap: Module instantiation failed. freebsd# Thanks, Alhagie. From: [EMAIL PROTECTED] on behalf of Zoltan A. OriSent: Mon 1/2/2006 8:38 AMTo: FreeRadius users mailing listSubject: Re: FreeRADIUS with PEAP problems On Monday 02 January 2006 07:34, Alhagie Puye wrote:> > >Do you have> > >> > > peap {> > > default_eap_type = mschapv2> > > }> > >> > >in your eap.conf?>> Yes, I do.And, was MSCHAP instantiated?A complete debug output might help since the problem may begin elsewhere andonly manifest itself as an error when dependencies are required.Zoltan Ori-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRADIUS with PEAP problems
Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: > >[EMAIL PROTECTED] > >org > >[mailto:[EMAIL PROTECTED] > >eradius.org] On Behalf Of Zoltan A. Ori > >Sent: January 2, 2006 3:58 AM > >To: FreeRadius users mailing list > >Subject: Re: FreeRADIUS with PEAP problems > > > >On Monday 02 January 2006 06:32, Alhagie Puye wrote: > > > >> rlm_eap: Loaded and initialized type tls > >> rlm_eap: No such sub-type for default EAP type peap Bus > >error (core > >> dumped) bash-2.05b# > >> > > > >Do you have > > > > peap { > > default_eap_type = mschapv2 > > } > > > >in your eap.conf? Yes, I do. > > > > > >Zoltan Ori > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS with PEAP problems
Hello all, I am trying to configure FreeRADIUS with PEAP support. Here are my specs: OS: FreeBSD 5.4 OpenSSL: version 0.9.7d FreeRADIUS: 1.0.5 I have tested the configuration with EAP/TLS and it works just fine however, when I change "default_eap_type = tls" to "default_eap_type = peap" in the eap.conf file, I'm getting Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/freebsd.puyenet.com.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/freebsd.puyenet.com.pem" tls: CA_file = "/usr/local/etc/raddb/certs/root.pem" tls: private_key_password = "" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls rlm_eap: No such sub-type for default EAP type peap Bus error (core dumped) bash-2.05b# I have found this article from 2004 (http://lists.freeradius.org/pipermail/freeradius-users/2004-October/036 946.html). I'm not sure if this applies to me. Any help is greatly appreciated Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius cannot Authenticate to Windows AD
Michael, Try querying Active Directory with the "ldapsearch" utility. Here is an example. ldapsearch -LLL -h 1.2.3.4 -x -b 'dc=domain,dc=com' '(samaccountname=backops)' -D backops -w passofbackops This will make sure that the credentials are correct or not. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Phil Mayers > >Sent: December 16, 2005 1:55 AM > >To: FreeRadius users mailing list > >Subject: Re: FreeRadius cannot Authenticate to Windows AD > > > >Michael Calizo wrote: > >> Hi, > >> > >> Same thing has happened, I still can not authenticate to > >WindowsAD. > >> Same Error is displayed when i debug radiusd > >> > >> I put quotes arround password.. > >> > >> radtest user 'mypass' 192.168.1.1:1812 > ><http://192.168.1.1:1812> 1812 > >> testing123 > >> or > >> radtest user 'mypass' 192.168.1.1:1812 > ><http://192.168.1.1:1812> 1812 > >> testing123 > >> > >> > >> What do you think is the problem? > >rlm_ldap: bind as > >cn=backops,cn=Admin,dc=domain,dc=com/passofbackops to > >192.168.1.1:389 > >rlm_ldap: waiting for bind result ... > >rlm_ldap: LDAP login failed: check identity, password > >settings in ldap section of radiusd.conf > > > >...that's pretty clear. The "identity"/"password" combo you > >have is wrong. Or AD thinks it's wrong. > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius cannot Authenticate to Windows AD
Put quotes around the passwordone thing I learned. That will take you further. I have a working config. So, please let me know if you are still running into problems. P.S. I will be posting a doc on the wiki once I'm done with testing. Alhagie Puye - Network EngineerDatawave Group of Companies(604)295-1817 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael CalizoSent: December 15, 2005 8:26 PMTo: Freeradius-Users@lists.freeradius.orgSubject: FreeRadius cannot Authenticate to Windows AD Hi Guru's,I have installed freeradius and used each LDAP module to authenticate to WINDOWS 2003 AD. The problem is it cant do the authentication, seems that i missed the radius.conf LDAP module configuration which causes the LDAP module to failed when connecting to MSAD. Below is my radius.conf config file.Hoping that you guys can help me, coz i have been googling all day for this config and i can not make this thing work... Thnx in advance.. radius.conf:ldap { server = "oberon.chikka.ph" # identity = "cn=admin,o=My Org,c=UA" identity = "cn=backops,cn=Admin,dc=chikka,dc=ph" password = [EMAIL PROTECTED]@n # password = mypass basedn = "dc=chikka,dc=ph" # filter = "(SamAccountName=%{Stripped-User-Name:-%{User-Name}})" #filter = "(SamAccountName=%U)" #filter = "(SamAccountName=%u)" # base_filter = "(objectclass=radiusprofile)" base_filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=Admin,DC=chikka,DC=ph))" filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess"ictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive # # password_header = "{clear}" # # The server can usually figure this out on its own, and pull # the correct User-Password or NT-Password from the database. # # Note that NT-Passwords MUST be stored as a 32-digit hex # string, and MUST start off with "0x", such as: # # 0x000102030405060708090a0b0c0d0e0f # # Without the leading "0x", NT-Passwords will not work. # This goes for NT-Passwords stored in SQL, too. # # password_attribute = userPassword groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = memberOf timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes }Here is my the radiusd -X -A LOG...rad_recv: Access-Request packet from host 192.168.1.13:37146, id=42, length=59 User-Name = "myaccount" User-Password = "mypass" NAS-IP-Address = 255.255.255.255 NAS-Port = 1812 Processing the authorize section of radiusd.confmodcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "
RE: Wiki is now live
Awesome!!! Thanks guys. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Alan DeKok > >Sent: December 12, 2005 9:55 AM > >To: freeradius-users@lists.freeradius.org > >Subject: Wiki is now live > > > > http://wiki.freeradius.org/ > > > > Please feel free to add documentation, configuration examples, etc. > >Right now it's pretty minimal and free-form. > > > > Thanks to Peter Nixon for setting it up and hosting it. > > > > Alan DeKok. > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Documentation on Group Locking using FreeRADIUS/AD/Cisco VPNConcentrator
No suggestions on this? This is an awesome product. No doubt!!! However I think we will benefit more with better documentation. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Alhagie Puye > >Sent: December 9, 2005 3:05 PM > >To: FreeRadius users mailing list > >Subject: Documentation on Group Locking using > >FreeRADIUS/AD/Cisco VPNConcentrator > > > >Hello all, > > > >I have spent a few bit of time trying to get > >FreeRADIUS/Active Directory/Cisco VPN Concentrator 3005 to > >lock users into group using the class attribute. Dusty Doris > >gave me a hand too. It has been tested and it works as expected. > > > >http://www.cisco.com/warp/public/471/altigagroup.html > > > >This feature is very, very neat and flexible. > > > > > >I would now like to write up a step-by-step document on how > >to make these work together. I don't have a public web site > >to host this page. > >I'm looking for suggestions on how to make it readily > >available to other users since the VPN Concentrator is > >gaining popularity. > > > > > >Is the wiki page mentioned here a while back going to > >materialize? Or should I write up a text document so that it > >could be added to doc/ directory in the source code? > > > >I would hate for someone to have to reinvent the wheel on this issue. > > > > > >Alhagie Puye - Network Engineer > >Datawave Group of Companies > >(604)295-1817 > > > > > >This message (including any attachments) is confidential, > >may be privileged and is only intended for the person to > >whom it is addressed. If you have received it by mistake > >please notify the sender by return e-mail and delete this > >message from your system. Any unauthorized use or > >dissemination of this message in whole or in part is > >strictly prohibited. E-mail communications are inherently > >vulnerable to interception by unauthorized parties and are > >susceptible to change. We will use alternate communication > >means upon request. > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Documentation on Group Locking using FreeRADIUS/AD/Cisco VPN Concentrator
Hello all, I have spent a few bit of time trying to get FreeRADIUS/Active Directory/Cisco VPN Concentrator 3005 to lock users into group using the class attribute. Dusty Doris gave me a hand too. It has been tested and it works as expected. http://www.cisco.com/warp/public/471/altigagroup.html This feature is very, very neat and flexible. I would now like to write up a step-by-step document on how to make these work together. I don't have a public web site to host this page. I'm looking for suggestions on how to make it readily available to other users since the VPN Concentrator is gaining popularity. Is the wiki page mentioned here a while back going to materialize? Or should I write up a text document so that it could be added to doc/ directory in the source code? I would hate for someone to have to reinvent the wheel on this issue. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: rlm_ldap: ldap_search() failed: Bad search filter:
Look like your syntax is wrong Why don't you have parenthesis around "sAMAccountName userAccountControl"? You are also missing an "=" between the two words. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Norbert Wegener > >Sent: December 7, 2005 12:30 PM > >To: FreeRadius users mailing list > >Subject: rlm_ldap: ldap_search() failed: Bad search filter: > > > >I am still trying to let freeradius query AD, but not yet > >too successfull. > > > >Using the following vars with ldapsearch, gives me the > >desired result, as shown below, but fails with rlm_ldap. > >## > >server="mchm967a.tww006.sitest.net " > >port=3268 > >identity="[EMAIL PROTECTED] " > >mypass="mypass" > >basedn="dc=TDE002,dc=SITEST,dc=NET" > >filter="(&(sAMAccountName=28TEF003$)(objectclass=computer)) > >sAMAccountName userAccountControl" > ># > >ldapsearch -x -h $server -p $port -b $basedn $filter -D > >$identity -w $mypass -x > > > ># extended LDIF > ># > ># LDAPv3 > ># base with scope sub # filter: > >(&(sAMAccountName=28TEF003$)(objectclass=computer)) > ># requesting: sAMAccountName userAccountControl # > > > ># 28TEF003, CAT-Computers, OU16, MchP, tde002.sitest.net > >dn: > >CN=28TEF003,OU=CAT-Computers,OU=OU16,OU=MchP,DC=tde002,DC=sit > >est,DC=net > >userAccountControl: 4096 > >sAMAccountName: 28TEF003$ > > > ># search result > >search: 2 > >result: 0 Success > > > ># numResponses: 2 > ># numEntries: 1 > >## > >So far, so good. > >When I take the same vars in radiusd.conf, I get: > >rlm_ldap: ldap_search() failed: Bad search filter > >radiusd.conf: > > > > > > ldap ldap1 { > >server="mchm967a.tww006.sitest.net " > >port=3268 > >identity="[EMAIL PROTECTED] " > >mypass="mypass" > >basedn="dc=TDE002,dc=SITEST,dc=NET" > >filter="(&(sAMAccountName=28TEF003$)(objectclass=computer)) > >sAMAccountName userAccountControl" > >ldap_debug= 0x > >ldap_connections_number = 5 > >timeout = 40 > >timelimit = 30 > >net_timeout = 10 > >tls { > >} > >dictionary_mapping = ${raddbdir}/ldap.attrmap > >} > > > >rlm_ldap: Bind was successful^M > >rlm_ldap: performing search in dc=TDE002,dc=SITEST,dc=NET, > >with filter > >(&(sAMAccountName=28TEF003$)(objectclass=computer)) > >sAMAccountName userAccountControl^M ldap_search^M > >put_filter: "(&(sAMAccountName=28TEF003$)(objectclass=computer)) > >sAMAccountName userAccountControl"^M > >put_filter: AND^M > >put_filter_list "(sAMAccountName=28TEF003$)(objectclass=computer)"^M > >put_filter: "(sAMAccountName=28TEF003$)"^M > >put_filter: simple^M > >put_simple_filter: "sAMAccountName=28TEF003$"^M > >put_filter: "(objectclass=computer)"^M > >put_filter: simple^M > >put_simple_filter: "objectclass=computer"^M > >put_filter: default^M > >put_simple_filter: "sAMAccountName userAccountControl"^M > >rlm_ldap: ldap_search() failed: Bad search filter: > >(&(sAMAccountName=28TEF003$)(objectclass=computer)) > >sAMAccountName userAccountControl^M ldap_msgfree^M > >rlm_ldap: search failed^M > > > >What am I doing wrong? > >Thanks > >Norbert Wegener > > > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory and return groupattribute to VPN Concentrator
Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Dusty Doris > >Sent: December 2, 2005 10:11 AM > >To: FreeRadius users mailing list > >Subject: RE: Freeradius How to integrate Active Directory > >and return groupattribute to VPN Concentrator > > > >On Wed, 30 Nov 2005, Alhagie Puye wrote: > > > >> Ok, So I played around some more with the settings. > >> > >> Actually "group" and "groupofnames" are not correct > >attributes for user. > >> > >> It is supposed to be "memberof". So I changed line in > >ldap.attrmap to > >> look like: > >> > >> replyItem Class memberof > >> > >> Now I'm getting replyItems but the data looks like > >garbage. I want it > >> to return the group name. > >> > > > >You are returning CN as the class in your radius packet. > > > >Class = CN > > > >Class is not a string, its an octet so what you are seeing > >434e is really CN. You must be returning something like > > > >memberof: CN=somegroup,ou=someou,... Yes, you are absolutely correct. I have now installed and configured OpenLdap and followed your intructions to the teeth because this is driving me to the wall. If I have to implement OpenLDAP to get this working, then that's what I will do... Here is what I'm getting now: Cleaning up request 0 ID 183 with timestamp 4390a566 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:44210, id=250, length=57 User-Name = "user2" User-Password = "whatever" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_realm: No '@' in User-Name = "user2", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'DC=mydomain,DC=com' radius_xlat: '(uid=user2)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=mydomain,DC=com, with filter (uid=user2) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(&(uid=user2))(objectclass=radiusprofile)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=mydomain,DC=com, with filter (&(radiusGroupName=disabled)(&(uid=user2))(objectclass=radiusprofile)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in uid=user2,ou=users,ou=radius,dc=mydomain,dc=com, with filter (objectclass=*) rlm_ldap::groupcmp: Group disabled not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'DC=mydomain,DC=com' radius_xlat: '(&(uid=user2))(objectclass=radiusprofile)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=mydomain,DC=com, with filter (&(radiusGroupName=dial)(&(uid=user2))(objectclass=radiusprofile)) rlm_ldap::ldap_groupcmp: User found in group dial rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 169 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for user2 radius_xlat: '(uid=user2)' radius_xlat: 'DC=mydomain,DC=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=mydomain,DC=com, with filter (uid=user2) rlm_ldap: performing search in uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com, with filter (objectclass=radiusprofile) rlm_ldap: Adding radiusFramedRouting as Framed-Routing, value None & op=11 rlm_ldap: Adding radiusFramedIPNetmask as Framed-IP-Netmask, value 255.255.255.0 & op=11 rlm_ldap: Adding radiusFramedProtocol as Framed-Protocol, value PPP & op=11 rlm_ldap: Adding radiusServiceType as Service-Type, value Framed-User & op=11 rlm_ldap: Added password whatever in check items rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusgroupname as Class, v
RE: Freeradius How to integrate Active Directory and return group attribute to VPN Concentrator
> >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Dusty Doris > >Sent: November 30, 2005 7:16 AM > >To: FreeRadius users mailing list > >Subject: RE: Freeradius How to integrate Active Directory > >and return group attribute to VPN Concentrator > > > >> Radiusd.conf: > >> > >>filter = > >> > >"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(membe > >rOf=CN=rp > >> tp cps,OU=Datawave Users,DC=corp,DC=van,DC=dwave))" > >> > >> This works fine. However I can't get it to return any > >replyItems. Has > >> anyone gotten this to work with Active Directory? All the > >docs I see > >> on the Net refeerence OpenLDAP. I'm sure there is a lot of > >folks out > >> there running Windows 2000/2003 Active Directory. > >> > >> I have spent a couple of days on this not having much > >luck. Here are a > >> few questions that would help me a bit. > >> > >> 1) Do I need groupname_attribute to get this to work? > >> > >> 2) What about groupmembership_filter and groupmembership_attribute? > >> > >> My ldap.attrmap looks like this: > >> > >> replyItem Class groupofnames > >> replyItem Class group > >> > >> I think the above is correct. Can some shed some light on this? > > > >Is group and groupofnames something that is an attribute of > >a user? When freeradius searches for reply items it is > >searching for attributes of that user. > > > >eg: > > > >dn: cn=someuser,... > >group: somegroup > > > >Should then add > > > >Class = somegroup > > > >to the reply items. > > > >If you want to make reply items attached to a group, rather > >than in individual, you will need to set the User-Profile attribute. > > > >For example, > > > >dn: cn=somegroup,ou=groups,... > >group: somegroup > > > >Then in the users file. > > > >DEFAULT Ldap-Group == somegroup, User-Profile := > >"cn=somegroup,ou=groups,..." > > > >You may be able to do this dynamically using xlat or > >something like huntgroups too. If you want an example, send > >us an example of a user and group from AD in ldif format and > >an example of a radius packet that you would expect in the > >reply and I'll see if I can come up with an idea for ya. I'm still waiting for some help with this.I have sent all the information that you requested. I have gotten it to return the group name but it is also returning the username as well and the username is returned after the group name. Is there is way to return just the groupname? I really would like to resolve this issue ones and for all. I'm really surprised that there are not folks on the list who have Active Directory users that they want to use to lock VPN users into groups on the VPN Concentrator. If really there isn't, I would put a howto on this when I get it working and post it on the list. Here is my latest output: rlm_ldap: performing search in CN=itops,OU=Information Technology,OU=DataWave Users,DC=corp,DC=van,DC=dwave, with filter (cn=itops) rlm_ldap::ldap_groupcmp: User found in group itops rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 163 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for apuye radius_xlat: '(&(sAMAccountName=apuye)(objectclass=user))' radius_xlat: 'DC=corp,DC=van,DC=dwave' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=corp,DC=van,DC=dwave, with filter (&(sAMAccountName=apuye)(objectclass=user)) rlm_ldap: performing search in CN=itops,ou=Information Technology,ou=Datawave Users,dc=corp,dc=van,dc=dwave, with filter (objectclass=group) rlm_ldap: Adding samaccountname as Class, value itops & op=11 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding samaccountname as Class, value apuye & op=11 rlm_ldap: user apuye authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 modcall: group authorize returns ok for request 1 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 1 rlm_ldap: - authenticate rlm_
RE: Freeradius How to integrate Active Directory and return groupattribute to VPN Concentrator
Ok, So I played around some more with the settings. Actually "group" and "groupofnames" are not correct attributes for user. It is supposed to be "memberof". So I changed line in ldap.attrmap to look like: replyItem Class memberof Now I'm getting replyItems but the data looks like garbage. I want it to return the group name. Here is the output: * host: SERVER.corp.van.dwave port: 389 (default) refcnt: 1 status: Connected last used: Wed Nov 30 15:43:08 2005 ** Outstanding Requests: * msgid 19, origid 16, status InProgress outstanding referrals 0, parent count 1 * msgid 17, origid 16, status Request Completed outstanding referrals 0, parent count 1 * msgid 16, origid 16, status Request Completed outstanding referrals 1, parent count 0 ** Response Queue: * msgid 16, type 100 ldap_chkResponseList for msgid=16, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 16, all 1 ldap_read: message type search-result msgid 19, original id 16 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 19 merged parent (id 16) error info: result errno 0, error <>, matched <> request 16 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 16, msgid 16) ldap_free_request (origid 16, msgid 19) ldap_free_request (origid 16, msgid 17) ldap_free_connection ldap_send_unbind ldap_free_connection: actually freed adding response id 16 type 101: ldap_parse_result ldap_get_dn ldap_get_values rlm_ldap: looking for check items in directory... ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values rlm_ldap: looking for reply items in directory... ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values rlm_ldap: Adding memberof as Class, value CN & op=11 rlm_ldap: Adding memberof as Class, value CN & op=11 rlm_ldap: Adding memberof as Class, value CN & op=11 rlm_ldap: Adding memberof as Class, value CN & op=11 ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values ldap_get_values rlm_ldap: user apuye authorized to use remote access ldap_msgfree rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "apuye" with password "X" rlm_ldap: user DN: CN=Alhagie Puye,OU=Information Technology,OU=DataWave Users,DC=corp,DC=van,DC=dwave rlm_ldap: (re)connect to SERVER.corp.van.dwave:389, authentication 1 ldap_create rlm_ldap: bind as CN=Alhagie Puye,OU=Information Technology,OU=DataWave Users,DC=corp,DC=van,DC=dwave/X to SERVER.corp.van.dwave:389 ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection ldap_int_open_connection ldap_connect_to_host: TCP SERVER.corp.van.dwave:389 ldap_new_socket: 7 ldap_prepare_socket: 7 ldap_connect_to_host: Trying w.x.y.z:389 ldap_connect_timeout: fd: 7 tm: 10 async: 0 ldap_ndelay_on: 7 ldap_is_sock_ready: 7 ldap_ndelay_off: 7 ldap_open_defconn: successful ldap_send_server_request rlm_ldap: waiting for bind result ... ldap_result msgid 1 ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 40 sec, 0 usec), msgid 1 wait4msg continue, msgid 1, all 1 ** Connections: * host: SERVER.corp.van.dwave port: 389 (default) refcnt: 2 status: Connected last used: Wed Nov 30 15:43:08 2005 ** Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=1, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 1, all 1 ldap_read: message type bind msgid 1, original id 1 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 1 request 1 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection ldap_free_connection: refcnt 1 ldap_parse_result ldap_msgfree rlm_ldap: Bind was successful rlm_ldap: user apuye authenticated succesfully ldap_free_connection ldap_send_unbind ldap_free_connection: actually freed modcall[authenticate]: module "ldap"
RE: Freeradius How to integrate Active Directory and return group attribute to VPN Concentrator
Here is an ldap query output for a user: waggawagga raddb # ldapsearch -LLL -h w.x.y.z -x -b 'dc=corp,dc=van,dc=dwave' '(&(memberof=CN=rptpcps,OU=DataWave Users,DC=corp,DC=van,DC=dwave)(samaccountname=apuye))' -D [EMAIL PROTECTED] -w XXXX dn: CN=Alhagie Puye,OU=Information Technology,OU=DataWave Users,DC=corp,DC=van ,DC=dwave memberOf: CN=itops-folder,OU=SHARED FOLDERS,OU=DataWave Users,DC=corp,DC=van,D C=dwave memberOf: CN=rptpcps,OU=DataWave Users,DC=corp,DC=van,DC=dwave memberOf: CN=itops,OU=Information Technology,OU=DataWave Users,DC=corp,DC=van, DC=dwave memberOf: CN=datawave,OU=DataWave Users,DC=corp,DC=van,DC=dwave accountExpires: 9223372036854775807 badPasswordTime: 127778245108916810 badPwdCount: 0 codePage: 0 cn: Alhagie Puye countryCode: 0 description: IT Operations displayName: Alhagie Puye givenName: Alhagie homeDirectory: \\fs1\apuye homeDrive: H: instanceType: 4 lastLogoff: 0 lastLogon: 12777842628216 logonCount: 196 msNPAllowDialin: TRUE distinguishedName: CN=Alhagie Puye,OU=Information Technology,OU=DataWave Users ,DC=corp,DC=van,DC=dwave objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=van,DC=dwave objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectGUID:: oO1UkRu8RkScNIOHmaB/qw== objectSid:: AQUAAAUVzSmuLihcKk12fipaZwkAAA== primaryGroupID: 513 profilePath: \\fs2\profiles\apuye pwdLastSet: 127771529310887572 name: Alhagie Puye sAMAccountName: apuye sAMAccountType: 805306368 sn: Puye userAccountControl: 512 userParameters:: bTogICAgICAgICAgICAgICAgICAgIGQJICAgICAgICAgICAgICAgICAgICAgI CAgUBAaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm4 6Cy44 C5FggBQ3R4Q2FsbGJhY2vjgLDjgLDjgLDjgLASCAFDdHhTaGFkb3fjhLDjgLDjgLDjgLAoCA FDdHh NYXhDb25uZWN0aW9uVGltZeOAsOOAsOOAsOOAsC4IAUN0eE1heERpc2Nvbm5lY3Rpb25UaW1 l44Cw 44Cw44Cw44CwHAgBQ3R4TWF4SWRsZVRpbWXjgLDjgLDjgLDjgLAiCAFDdHhLZXlib2FyZExh eW91d OOAsOOAsOOAsOOAsCoCAUN0eE1pbkVuY3J5cHRpb25MZXZlbOOEsCACAUN0eFdvcmtEaXJlY 3Rvcn njgLAgAgFDdHhOV0xvZ29uU2VydmVy44CwGAIBQ3R4V0ZIb21lRGly44CwIgIBQ3R4V0ZIb2 1lRGl yRHJpdmXjgLAgAgFDdHhXRlByb2ZpbGVQYXRo44CwIgIBQ3R4SW5pdGlhbFByb2dyYW3jgLA iAgFD dHhDYWxsYmFja051bWJlcuOAsA== userPrincipalName: [EMAIL PROTECTED] uSNChanged: 7588047 uSNCreated: 5713011 whenChanged: 20051122170851.0Z whenCreated: 20050902184213.0Z # refldap://corp.van.dwave/CN=Configuration,DC=corp,DC=van,DC=dwave I would like the group that the user is a member of to be sent back in the replyItem. I need this value for locking the user into groups on the Cisco VPN Concentrator. That's the only portion I'm missing. Here is an output of the debug when I authenticate the user: put_filter: "(cn=itops)" put_filter: simple put_simple_filter: "cn=itops" ldap_send_initial_request ldap_send_server_request ldap_result msgid 15 ldap_chkResponseList for msgid=15, all=1 ldap_chkResponseList returns NULL wait4msg (timeout 40 sec, 0 usec), msgid 15 wait4msg continue, msgid 15, all 1 ** Connections: * host: SERVER.corp.van.dwave port: 389 (default) refcnt: 2 status: Connected last used: Wed Nov 30 10:18:54 2005 ** Outstanding Requests: * msgid 15, origid 15, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: Empty ldap_chkResponseList for msgid=15, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 15, all 1 ldap_read: message type search-entry msgid 15, original id 15 wait4msg: 39 secs to go wait4msg continue, msgid 15, all 1 ** Connections: * host: SERVER.corp.van.dwave port: 389 (default) refcnt: 2 status: Connected last used: Wed Nov 30 10:18:54 2005 ** Outstanding Requests: * msgid 15, origid 15, status InProgress outstanding referrals 0, parent count 0 ** Response Queue: * msgid 15, type 100 ldap_chkResponseList for msgid=15, all=1 ldap_chkResponseList returns NULL ldap_int_select read1msg: msgid 15, all 1 ldap_read: message type search-result msgid 15, original id 15 new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: 0 new referrals read1msg: mark request completed, id = 15 request 15 done res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 15, msgid 15) ldap_free_connection ldap_free_connection: refcnt 1 adding response id 15 type 101: ldap_parse_result ldap_msgfree ldap_msgfree rlm_ldap::ldap_groupcmp: User found in group itops rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for apuye radius_xlat: '(&(sAMAccountName=apuye)(objectclass=user))' radius_xlat: 'DC=corp,DC=van,DC=dwave' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=corp,DC=van,DC=dwave, with filter (&(sAMAccountName=apuye)(obje
RE: Can not authenticate against Active directory as LDAP server
Make sure the password has double-quotes around it. I had to do that to get it working. Have you tried using ldapsearch first to make sure that you are feeding it the correct parameters? Try something like ldapsearch -LLL -h 10.1.1.1 -x -b 'dc=corp,dc=van,dc=com' '(&(memberof=CN=rptpcps,OU=Users,DC=corp,DC=van,DC=com)(samaccountname=a puye))' -D [EMAIL PROTECTED] -w yourpassword Change it to match your environment. Hope that helps. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Anup Parkhi > >Sent: November 29, 2005 6:44 PM > >To: freeradius-users@lists.freeradius.org > >Subject: Can not authenticate against Active directory as LDAP server > > > >My environment is > > > >FreeRadius: 1.0.5 on RedHat > >Funk Odyssey supplicant. (Tried with XP supplicant also) > >Authenticator: HP procurve switch > >EAP: EAP-MD5 > >Directory: Active directory as LDAP server > > > >I am getting the following error while authenticating users > >in Active directory. Any help is appreciated. I went through > >ldap_how_to.txt and changed my radiusd.conf to tailor for > >active directory but it is still failing. > > > >My configuration sections are > >lldap { > > server = "10.11.12.137" > > identity = > >"cn=Administrator,cn=users,dc=parkhi,dc=net" > > password = mypassword > > basedn = "cn=users,dc=parkhi,dc=net" > > filter = > >"(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" > > # base_filter = "(objectclass=radiusprofile)" > > > > # set this to 'yes' to use TLS encrypted connections > > # to the LDAP database by using the StartTLS extended > > # operation. > > # The StartTLS operation is supposed to be > >used with normal > > # ldap connections instead of using ldaps (port 689) > >connectionsstart_tls = no > > > > # tls_cacertfile= /path/to/cacert.pem > > # tls_cacertdir = /path/to/ca/dir/ > > # tls_certfile = /path/to/radius.crt > > # tls_keyfile = /path/to/radius.key > > # tls_randfile = /path/to/rnd > > # tls_require_cert = "demand" > > > > # default_profile = > >"cn=radprofile,ou=dialup,o=My Org,c=UA" > ># profile_attribute = "radiusProfileDn" > > #access_attr = "dialupAccess" > > > > # Mapping of RADIUS dictionary attributes to LDAP > > # directory attributes. > > dictionary_mapping = ${raddbdir}/ldap.attrmap > > > > ldap_connections_number = 10 > > > > # > > # NOTICE: The password_header directive is > >NOT case insensitive > > # > > # password_header = "{clear}" > > # > > # The server can usually figure this out on > >its own, and pull > > # the correct User-Password or NT-Password > >from the database. > > # > > # Note that NT-Passwords MUST be stored as a > >32-digit hex > > # string, and MUST start off with "0x", such as: > > # > > # 0x000102030405060708090a0b0c0d0e0f > > # > ># Without the leading "0x", NT-Passwords will not work. > > # This goes for NT-Passwords stored in SQL, too. > > # > > password_attribute = User-Password > > # groupname_attribute = cn > > # groupmembership_filter = > >"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(obj > >ectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" > > # groupmembership_attribute = radiusGroupName > > timeout = 4 > > timelimit = 3 > > net_timeout = 1 > > compare_check_items = no > > # do_xlat = yes > > # access_attr_used_for_allow = yes > > } > > > >authorize { > > preprocess > > suffix > > file
RE: Freeradius How to integrate Active Directory and return group attribute to VPN Concentrator
> >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Dusty Doris > >Sent: November 25, 2005 9:43 AM > >To: FreeRadius users mailing list > >Subject: RE: Freeradius How to integrate Active > >Directory[ADIntegrationWindowsXP NTLM Tutorial] > > > > > >> So, the question again is if the VPN Concentrator is only sending > >> username and password, do I need ntml_auth or ms-chap? FreeRADIUS > >> doesn't have any usernames and password and will query Active > >> Directory for the actual authentication. > >> > >> Thanks, > >> > > > >If the packet is merely containing plaintext username and > >password, then you can probably just use rlm_ldap against AD > >and hit it directly. Just need to setup a user with read > >access to the directory to do the initial bind with and > >search of the user for authorization. Then the user will be > >authenticated by doing a bind against AD with the > >username/password in the packet. > > > >BTW - I use freeradius w/ ldap for cisco VPN concentrators > >as well, although its openldap instead of AD. To pass back > >the class attribute, you must modify ldap.attrmap and > >specify the reply item of Class to match what you call it in > >the directory. > > > >eg: > > > >replyItemClass radiusClass > > > >Then in the directory, you have > > > >dn: cn=someuser,... > >... > >radiusClass: "OU=myvpngroup;" > > > >So, for AD, you'll need to extend the schema and add an > >attribute for this. Or if you already have something that > >you can use, just modify ldap.attrmap to know what it is. > > Ok, this is the part that's not working for me. I have gotten FreeRADIUS to authenticate and authorize both user and group. Radiusd.conf: filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=rptp cps,OU=Datawave Users,DC=corp,DC=van,DC=dwave))" This works fine. However I can't get it to return any replyItems. Has anyone gotten this to work with Active Directory? All the docs I see on the Net refeerence OpenLDAP. I'm sure there is a lot of folks out there running Windows 2000/2003 Active Directory. I have spent a couple of days on this not having much luck. Here are a few questions that would help me a bit. 1) Do I need groupname_attribute to get this to work? 2) What about groupmembership_filter and groupmembership_attribute? My ldap.attrmap looks like this: replyItem Class groupofnames replyItem Class group I think the above is correct. Can some shed some light on this? Here is my debug output when I authenticate Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:37372, id=210, length=57 User-Name = "apuye" User-Password = "" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name = "apuye", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched entry DEFAULT at line 155 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for apuye radius_xlat: '(&(sAMAccountName=apuye)(memberOf=CN=rptpcps,OU=Datawave Users,DC=corp,DC=van,DC=dwave))' radius_xlat: 'DC=corp,DC=van,DC=dwave' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to huckster.corp.van.dwave:389, authentication 0 rlm_ldap: bind as cn=Alhagie Puye,ou=Information Technology,ou=DataWave Users,dc=corp,dc=van,dc=dwave/ to huckster.corp.van.dwave:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=corp,DC=van,DC=dwave, with filter (&(sAMAccountName=apuye)(memberOf=CN=rptpcps,OU=Datawave Users,DC=corp,DC=van,DC=dwave)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user apuye authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: group authorize returns ok for request
FreeRADIUS->Active Directory
Hello all, I am still running into problems with this setup. I have made some progress though. First off, my setup is: SSL VPN Client -> Cisco VPN Concentrator -> FreeRadius -> Active Directory I can query Active with the ldapsearch tool. waggawagga raddb # ldapsearch -h w.x.y.z -x -b 'ou=information technology,ou=datawave users,dc=corp,dc=van,dc=dwave' '(samaccountname=apuye)' -D [EMAIL PROTECTED] -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope sub # filter: (samaccountname=apuye) # requesting: ALL # # Alhagie Puye, Information Technology, DataWave Users, corp.van.dwave dn: CN=Alhagie Puye,OU=Information Technology,OU=Datawave Users,DC=corp,DC=van ,DC=dwave memberOf: CN=itops-folder,OU=SHARED FOLDERS,OU=DataWave Users,DC=corp,DC=van,D C=dwave memberOf: CN=rptpcps,OU=DataWave Users,DC=corp,DC=van,DC=dwave memberOf: CN=itops,OU=Information Technology,OU=DataWave Users,DC=corp,DC=van, DC=dwave memberOf: CN=datawave,OU=DataWave Users,DC=corp,DC=van,DC=dwave accountExpires: 9223372036854775807 badPasswordTime: 127775870835283171 badPwdCount: 0 codePage: 0 cn: Alhagie Puye countryCode: 0 description: IT Operations displayName: Alhagie Puye givenName: Alhagie homeDirectory: \\server\apuye homeDrive: H: instanceType: 4 lastLogoff: 0 lastLogon: 127776922250294313 logonCount: 173 msNPAllowDialin: TRUE distinguishedName: CN=Alhagie Puye,OU=Information Technology,OU=DataWave Users ,DC=corp,DC=van,DC=dwave objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=van,DC=dwave objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectGUID:: oO1UkRu8RkScNIOHmaB/qw== objectSid:: AQUAAAUVzSmuLihcKk12fipaZwkAAA== primaryGroupID: 513 profilePath: \\\server1\apuye pwdLastSet: 127771529310887572 name: Alhagie Puye sAMAccountName: apuye sAMAccountType: 805306368 sn: Puye userAccountControl: 512 userParameters:: bTogICAgICAgICAgICAgICAgICAgIGQJICAgICAgICAgICAgICAgICAgICAgI CAgUBAaCAFDdHhDZmdQcmVzZW5045S15pSx5oiw44GiGAgBQ3R4Q2ZnRmxhZ3Mx44Cw44Gm4 6Cy44 C5FggBQ3R4Q2FsbGJhY2vjgLDjgLDjgLDjgLASCAFDdHhTaGFkb3fjhLDjgLDjgLDjgLAoCA FDdHh NYXhDb25uZWN0aW9uVGltZeOAsOOAsOOAsOOAsC4IAUN0eE1heERpc2Nvbm5lY3Rpb25UaW1 l44Cw 44Cw44Cw44CwHAgBQ3R4TWF4SWRsZVRpbWXjgLDjgLDjgLDjgLAiCAFDdHhLZXlib2FyZExh eW91d OOAsOOAsOOAsOOAsCoCAUN0eE1pbkVuY3J5cHRpb25MZXZlbOOEsCACAUN0eFdvcmtEaXJlY 3Rvcn njgLAgAgFDdHhOV0xvZ29uU2VydmVy44CwGAIBQ3R4V0ZIb21lRGly44CwIgIBQ3R4V0ZIb2 1lRGl yRHJpdmXjgLAgAgFDdHhXRlByb2ZpbGVQYXRo44CwIgIBQ3R4SW5pdGlhbFByb2dyYW3jgLA iAgFD dHhDYWxsYmFja051bWJlcuOAsA== userPrincipalName: [EMAIL PROTECTED] uSNChanged: 7588047 uSNCreated: 5713011 whenChanged: 20051122170851.0Z whenCreated: 20050902184213.0Z # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 waggawagga raddb # When I run: Server# radtest apuye password localhost 1 testing123 I get: rad_recv: Access-Request packet from host 127.0.0.1:49732, id=181, length=57 User-Name = "apuye" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "apuye", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for apuye radius_xlat: '(sAMAccountName=apuye)' radius_xlat: 'ou=Information Technology,ou=DataWave Users,dc=corp,dc=van,dc=dwave' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to huckster.corp.van.dwave:389, authentication 0 rlm_ldap: bind as cn=apuye,ou=Information Technology,ou=DataWave Users,DC=corp,DC=van,DC=dwave/ to w2kserver.corp.van.dwave:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=Information Technology,ou=DataWave Users,dc=corp,dc=van,dc=dwave, with filter (sAMAccountName=apuye) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 My radiusd.conf file looks like this: ldap {
RE: Freeradius How to integrate Active Directory[ADIntegrationWindowsXP NTLM Tutorial]
Thanks Dusty. That's very helpful. I have one little problem. I was hoping someone can shed some light on it. For the Active Directory security, I need to specify the username as "Domain\user" instead of just "user" for the identity in radiusd.conf "[EMAIL PROTECTED]" doesn't seem to work. Here is the output: rad_recv: Access-Request packet from host 192.168.42.1:50667, id=146, length=57 User-Name = "user" User-Password = "password" NAS-IP-Address = 255.255.255.255 NAS-Port = 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "apuye", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 users: Matched entry DEFAULT at line 153 modcall[authorize]: module "files" returns ok for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for apuye radius_xlat: '(uid=apuye)' radius_xlat: 'dc=ad,dc=puyenet,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to orion.puyenet.com:389, authentication 0 rlm_ldap: bind as [EMAIL PROTECTED],ou=users,dc=ad,dc=puyenet,dc=com/password to orion.puyenet.com:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns fail for request 4 modcall: group authorize returns fail for request 4 Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 146 with timestamp 4388ab87 Nothing to do. Sleeping until we see a request. The radiusd.conf file looks like this for the ldap section: ldap { server = "orion.puyenet.com" # identity = "cn=admin,o=My Org,c=UA" identity = "[EMAIL PROTECTED],ou=users,dc=ad,dc=puyenet,dc=com" password = password #basedn = "o=My Org,c=UA" basedn = "dc=ad,dc=puyenet,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" Thanks in advance. Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Dusty Doris > >Sent: November 25, 2005 9:43 AM > >To: FreeRadius users mailing list > >Subject: RE: Freeradius How to integrate Active > >Directory[ADIntegrationWindowsXP NTLM Tutorial] > > > > > >> So, the question again is if the VPN Concentrator is only sending > >> username and password, do I need ntml_auth or ms-chap? FreeRADIUS > >> doesn't have any usernames and password and will query Active > >> Directory for the actual authentication. > >> > >> Thanks, > >> > > > >If the packet is merely containing plaintext username and > >password, then you can probably just use rlm_ldap against AD > >and hit it directly. Just need to setup a user with read > >access to the directory to do the initial bind with and > >search of the user for authorization. Then the user will be > >authenticated by doing a bind against AD with the > >username/password in the packet. > > > >BTW - I use freeradius w/ ldap for cisco VPN concentrators > >as well, although its openldap instead of AD. To pass back > >the class attribute, you must modify ldap.attrmap and > >specify the reply item of Class to match what you call it in > >the directory. > > > >eg: > > > >replyItemClass radiusClass > > > >Then in the directory, you have > > > >dn: cn=someuser,... > >... > >radiusClass: "OU=myvpngroup;" > > > >So, for AD, you'll need to extend the schema and add an > >attribute for this. Or if you already have something that > >you can use, just modify ldap.attrmap
RE: Freeradius How to integrate Active Directory[ADIntegrationWindowsXP NTLM Tutorial]
So, the question again is if the VPN Concentrator is only sending username and password, do I need ntml_auth or ms-chap? FreeRADIUS doesn't have any usernames and password and will query Active Directory for the actual authentication. Thanks, Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Alhagie Puye > >Sent: November 24, 2005 3:04 PM > >To: FreeRadius users mailing list > >Subject: RE: Freeradius How to integrate Active > >Directory[ADIntegrationWindowsXP NTLM Tutorial] > > > > > > > >Alhagie Puye - Network Engineer > >Datawave Group of Companies > >(604)295-1817 > > > >> >-Original Message- > >> >From: [EMAIL PROTECTED] > >> >[mailto:[EMAIL PROTECTED] On > >Behalf Of > >> >Alan DeKok > >> >Sent: November 24, 2005 2:36 PM > >> >To: FreeRadius users mailing list > >> >Subject: Re: Freeradius How to integrate Active Directory > >> >[ADIntegrationWindowsXP NTLM Tutorial] > >> > > >> >"Alhagie Puye" <[EMAIL PROTECTED]> wrote: > >> >> SSL-VPN client -> Cisco VPN Concentrator -> FreeRadius -> > >> >W2K Active > >> >> Directory > >> > > >> > What is in the RADIUS packet from the VPN concentrator? EAP? > >> >User-Password? You need to know this. > >Username and Password > >> > > >> >> I think I should be using ntlm_auth. Or should I be > >using the LDAP > >> >> module? > >> > > >> > It depends on what's in the RADIUS packet. > >> > > >> > Alan DeKok. > >> > > >> >- > >> >List info/subscribe/unsubscribe? See > >> >http://www.freeradius.org/list/users.html > >> > > > > > > >Disclaimer: This message (including any attachments) is > >confidential, may be privileged and is only intended for the > >person to whom it is addressed. If you have received it by > >mistake please notify the sender by return e-mail and delete > >this message from your system. Any unauthorized use or > >dissemination of this message in whole or in part is > >strictly prohibited. E-mail communications are inherently > >vulnerable to interception by unauthorized parties and are > >susceptible to change. We will use alternate communication > >means upon request. > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory [ADIntegrationWindowsXP NTLM Tutorial]
Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Alan DeKok > >Sent: November 24, 2005 2:36 PM > >To: FreeRadius users mailing list > >Subject: Re: Freeradius How to integrate Active Directory > >[ADIntegrationWindowsXP NTLM Tutorial] > > > >"Alhagie Puye" <[EMAIL PROTECTED]> wrote: > >> SSL-VPN client -> Cisco VPN Concentrator -> FreeRadius -> > >W2K Active > >> Directory > > > > What is in the RADIUS packet from the VPN concentrator? EAP? > >User-Password? You need to know this. Username and Password > > > >> I think I should be using ntlm_auth. Or should I be using the LDAP > >> module? > > > > It depends on what's in the RADIUS packet. > > > > Alan DeKok. > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory [AD IntegrationWindowsXP NTLM Tutorial]
Let me clarify. Here is my setup: SSL-VPN client -> Cisco VPN Concentrator -> FreeRadius -> W2K Active Directory It seems all the docs on the 'Net I have found talk about wireless or 802.1x clients. I think I should be using ntlm_auth. Or should I be using the LDAP module? Thanks, Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Alan DeKok > >Sent: November 24, 2005 7:40 AM > >To: FreeRadius users mailing list > >Subject: Re: Freeradius How to integrate Active Directory > >[AD IntegrationWindowsXP NTLM Tutorial] > > > >"Alhagie Puye" <[EMAIL PROTECTED]> wrote: > >> I have followed the steps in the howto and everything > >seems to work > >> fine but FreeRADIUS is ignoring "MS-CHAP". > > > > Debug logs? > > > >> My question is...can I use Active Directory if I need to > >use attribute > >> 25 on FreeRADIUS? > > > > What's attribute 25? > > > >> If so, how do I make sure that FreeRADIUS uses on MS-CHAP for an > >> authentication method? > > > > You don't. The client chooses the authentication method. > > > > Alan DeKok. > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory [AD IntegrationWindowsXP NTLM Tutorial]
> >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Alan DeKok > >Sent: November 24, 2005 7:40 AM > >To: FreeRadius users mailing list > >Subject: Re: Freeradius How to integrate Active Directory > >[AD IntegrationWindowsXP NTLM Tutorial] > > > >"Alhagie Puye" <[EMAIL PROTECTED]> wrote: > >> I have followed the steps in the howto and everything > >seems to work > >> fine but FreeRADIUS is ignoring "MS-CHAP". > > > > Debug logs? > > > >> My question is...can I use Active Directory if I need to > >use attribute > >> 25 on FreeRADIUS? > > > > What's attribute 25? This is what I'm trying to achieve: http://www.cisco.com/warp/public/471/altigagroup.html FreeRADIUS supports Class Attributes, doesn't it? > > > >> If so, how do I make sure that FreeRADIUS uses on MS-CHAP for an > >> authentication method? > > > > You don't. The client chooses the authentication method. > > > > Alan DeKok. > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
Actually, I believe the more important questions is to authenticate against Active Directory, do you need MS-CHAP or LDAP? Thanks, Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Robin Mordasiewicz > >Sent: November 23, 2005 6:16 PM > >To: FreeRadius users mailing list > >Subject: RE: Freeradius How to integrate Active Directory > >[AD Integration WindowsXP NTLM Tutorial] > > > >On Wed, 23 Nov 2005, Alhagie Puye wrote: > > > > > >> I have followed the steps in the howto and everything > >seems to work > >> fine but FreeRADIUS is ignoring "MS-CHAP". I'm using > >> ntradpingmaybe that's a wrong utility for this instance. > >> > > > >I don't think you can properly test this with NTRadPing, but > >I have not been able to figure it out. > > > >I have set my wireless access point to use radius and the > >results I am getting are very different. I would suggest > >testing a tool that more closely resembles your production gear. > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius How to integrate Active Directory [AD Integration WindowsXP NTLM Tutorial]
ted realm (suffix) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host x.y.w.z:3998, id=17, length=45 User-Name = "user" User-Password = "password" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "user", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 17 to x.y.w.z:3998 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 17 with timestamp 4384fa04 Nothing to do. Sleeping until we see a request. Thanks, Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On > >Behalf Of Norbert Wegener > >Sent: November 22, 2005 11:51 AM > >To: charles schwartz; FreeRadius users mailing list > >Subject: Re: Freeradius How to integrate Active Directory > >[AD Integration WindowsXP NTLM Tutorial] > > > >Hi Charles, > >thank you for that howto. > >A typo, that you might want to correct: > >On page 9 it should be --request-nt-key -instead of > >--nt-request-key and --username instead of -username. > > > >Norbert Wegener > > > > > > > >charles schwartz wrote: > > > >>Hi list, > >> > >>A lot of people on this list would like to integrate Active > >Directory with FreeRADIUS in order to provide a transparent > >user authentication login process. > >> > >>There are at least 2 ways to integrate AD: LDAP and NTLM. > >>I've written a tutorial about how to do this with NTLM > >(winbind, ntlm_auth). The Windows supplicants are configured > >to work with PEAP and MSCHAPv2. > >> > >>You can download it from here: > >>http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tut > >orial.pdf > >> > >>Good luck! > >> > >>Regards, > >>Charles Schwartz > >>- > >>List info/subscribe/unsubscribe? See > >>http://www.freeradius.org/list/users.html > >> > >> > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > Disclaimer: This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password Expiry policy
Hello all, I was wondering if anyone has implemented the feature of password expiry with Freeradius used for authenticating Cisco VPN clients. I have a Cisco PIX firewall using Freeradius as a backend (/etc/passwd). Anyway help would be greatly appreciated. Thanks in advance, Alhagie Puye - Network Engineer Datawave Group of Companies (604)295-1817 This message (including any attachments) is confidential, may be privileged and is only intended for the person to whom it is addressed. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. E-mail communications are inherently vulnerable to interception by unauthorized parties and are susceptible to change. We will use alternate communication means upon request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius setup
Hey all, I am new to setting up radius but from what I read, it should be very simple to achieve my goal. I have done a lot of reading from both the web site, /doc directory and the file comments too. This is what I'm trying to do: We have a PIX box and I have a Redhat systems with all the password in /etc/password. I have installed FreeRADIUS on it (latest version). All I would like to accomplish is for VPN clients to use their existing usernames and password in /etc/password to authenticate. I have edited client.conf and put the correct entry for the PIX box. Besides configuring the PIX, am I missing anything on the FreeRADIUS side to make this happen? BTW, radtest works just fine. Thanks in advance, Alhagie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple Radius setup
Hey all, I am new to setting up radius but from what I read, it should be very simple to achieve my goal. I have done a lot of reading from both the web site, /doc directory and the file comments too. This is what I'm trying to do: We have a PIX box and I have a Redhat systems with all the password in /etc/password. I have installed FreeRADIUS on it (latest version). All I would like to accomplish is for VPN clients to use their existing usernames and password in /etc/password to authenticate. I have edited client.conf and put the correct entry for the PIX box. Besides configuring the PIX, am I missing anything on the FreeRADIUS side to make this happen? BTW, radtest works just fine. Thanks in advance, Alhagie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html