Huntgroup and regular expression
I am running a fairly old version of FreeRADIUS (1.0.1). I would like to define a regular expression (such as Guest\d+) for a set of users in the huntgroup file for a specific NAS. Based on my reading of the docs, this does not look like it is possible/supported, but I wanted to check with the experts on the list in case I over had looked something obvious. Thanks for your time and wisdom. --Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trouble configuring SQL data store for users (second attempt)
Please forgive the duplicate post. I posted this a few days back and didn't see any response; thought I would give it just one more try. Thanks for any response. --Bill I have started to experiment with using mysql as the datastore for users and clients instead of the default file method for my relatively small installation. Right now my work is on a test system and all is working well, with one exception: a user that is a member of two or more groups. Based on all I have read, this last thing should be very basic. If I put the user in only groupA (in the usergroup table), the test works great. If I put user1 in only groupB, the test works great. When I put user1 in both groupA and groupB in the usergroup table it will only work against the first record of the two, the second record always returns a failure. I am sure this is probably something really stupid, but I just cannot see it. Any help would be appreciated. I have attatched table dumps, sample commands, and a debug trace. I hope it is helpful Thanks, --Bill FreeRadius version 1.0.1 MySQL version 4.1.20 vm # /usr/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password \ localhost:1645 10 naspass will sucseed, while vm # /usr/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password \ localhost:1645 10 naspass fails, but should sucseed The following is a test data set to validate a variety of cases that we need to support in our environment. select * from radcheck into outfile '/tmp/f1'; id usernameattribute op value -- - -- - 1 billPassword== userpass 5 guest01 Auth-Type := Local 6 guest01 Password== password select * from radreply into outfile '/tmp/f4'; id usernameattribute op value -- - -- - 7 guest01 Class := OU=Wireless; 8 guest01 Fall-Through:= No select * from radgroupcheck into outfile '/tmp/f2'; id groupname attribute op value -- - -- - 6 LocalUnix Auth-Type == System 7 LocalUnix Realm == Test 9 LdapCiscoAdmPassword== password 10 LdapCiscoAdmAuth-Type == Local 11 LdapCiscoAdmRealm == cisi 12 LdapHpReho Realm == syst 13 LdapHpReho Auth-Type == Local 14 LdapHpReho Password== password 15 RejectedAuth-Type := Reject select * from radgroupreply into outfile '/tmp/f3'; id groupname attribute op value -- - -- - 8 LocalUnix Service-Type= Login 0 9 LdapCiscoAdmCisco-AVPair= shell:priv-lvl=15 0 10 LdapCiscoAdmClass := OU=cis; 0 11 LdapCiscoAdmFall-Through:= Yes 0 12 LdapCiscoAdmService-Type= 6 0 13 LdapHpReho Class := OU=Proj;0 14 LdapHpReho Fall-Through:= Yes 0 15 RejectedFall-Through:= No 0 17 RejectedReply-Message := Account is locked out. 0 select * from usergroup into outfile '/tmp/f5'; id username groupname -- - 9 rootLocalUnix 10 kparr LdapCiscoAdm 11 kchow LdapHpReho 12 jpage Rejected 13 kparr LdapHpReho 14 bshaver LdapCiscoAdm vm # radiusd -x Starting - reading configuration files ... Module: Loaded exec Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_my
Touble configuring SQL data store for users
I have started to experiment with using mysql as the datastore for users and clients instead of the default file method for my relatively small installation. Right now my work is on a test system and all is working well, with one exception: a user that is a member of two or more groups. Based on all I have read, this last thing should be very basic. If I put the user in only groupA (in the usergroup table), the test works great. If I put user1 in only groupB, the test works great. When I put user1 in both groupA and groupB in the usergroup table it will only work against the first record of the two, the second record always returns a failure. I am sure this is probably something really stupid, but I just cannot see it. Any help would be appreciated. I have attatched table dumps, sample commands, and a debug trace. I hope it is helpful Thanks, --Bill FreeRadius version 1.0.1 MySQL version 4.1.20 vm # /usr/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password \ localhost:1645 10 naspass will sucseed, while vm # /usr/bin/radtest -d /etc/raddb [EMAIL PROTECTED] password \ localhost:1645 10 naspass fails, but should sucseed The following is a test data set to validate a variety of cases that we need to support in our environment. select * from radcheck into outfile '/tmp/f1'; id usernameattribute op value -- - -- - 1 billPassword== userpass 5 guest01 Auth-Type := Local 6 guest01 Password== password select * from radreply into outfile '/tmp/f4'; id usernameattribute op value -- - -- - 7 guest01 Class := OU=Wireless; 8 guest01 Fall-Through:= No select * from radgroupcheck into outfile '/tmp/f2'; id groupname attribute op value -- - -- - 6 LocalUnix Auth-Type == System 7 LocalUnix Realm == Test 9 LdapCiscoAdmPassword== password 10 LdapCiscoAdmAuth-Type == Local 11 LdapCiscoAdmRealm == cisi 12 LdapHpReho Realm == syst 13 LdapHpReho Auth-Type == Local 14 LdapHpReho Password== password 15 RejectedAuth-Type := Reject select * from radgroupreply into outfile '/tmp/f3'; id groupname attribute op value -- - -- - 8 LocalUnix Service-Type= Login 0 9 LdapCiscoAdmCisco-AVPair= shell:priv-lvl=15 0 10 LdapCiscoAdmClass := OU=cis; 0 11 LdapCiscoAdmFall-Through:= Yes 0 12 LdapCiscoAdmService-Type= 6 0 13 LdapHpReho Class := OU=Proj;0 14 LdapHpReho Fall-Through:= Yes 0 15 RejectedFall-Through:= No 0 17 RejectedReply-Message := Account is locked out. 0 select * from usergroup into outfile '/tmp/f5'; id username groupname -- - 9 rootLocalUnix 10 kparr LdapCiscoAdm 11 kchow LdapHpReho 12 jpage Rejected 13 kparr LdapHpReho 14 bshaver LdapCiscoAdm vm # radiusd -x Starting - reading configuration files ... Module: Loaded exec Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded SQL rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sq
Re: LDAP Authentication (MS Windows AD)
Dusty,
Thanks. I spent some time working at it from the LDAP angle and it
still fails with the ldapsearch. I will do some more reading/research
to get that working first, then if I have problems getting it work
with FreeRADIUS, I will get back with you all. (If you have some good
recommendations on howto's or other references getting OpenLDAP and MS
AD to talk, I would appreciate the suggestions.)
Thanks for the pointers.
--Bill
>From Dustin Doris on Sat, 29 May 2004 10:40:55 -0400 (EDT)
Hmmm... Perhaps you should double-check just to make sure. Do you have
access to a machine with openldap on it? You could use the ldapsearch
command to attempt a bind to AD.
It would look something like this:
$ ldapsearch -h win-dc.win-dom.ctc.edu -D "CN=User\\, Asteroid,OU=System
Accounts,OU=CIS,OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu" -w
whateveryourpasswordis -b "OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
"(SamAccountName=jdummy)"
-Dusty
On Fri, 28 May 2004, Bill Shaver wrote:
> Thanks for the reply. Yes, it is a goofy name, but I am told it does
> have read access on AD (it is in the 'domain user' group).
>
> From: Dustin Doris <[EMAIL PROTECTED]> on Fri, 28 May 2004 13:16:20 -0400
> >
> > Is "CN=User\\, Asteroid,OU=System Accounts..." a valid user with read
> > access to AD?
> >
> > > It seems that this should not be so hard; I am sure I am making a stupid
> > > mistake somewhere, but I just don't see it.
> > >
> > > I am attempting to set up freeradius 0.9.3 (redhat) to use (initially) one
> > > of several Windows 2003 AD for authentication. I am, however, unable to
> > > get the first one to work. I have attached what I think are the relevant
> > > log and configuration sections. The Windows admin is not seeing any
> > > errors in her logs. On the radius side, it seems that radiusd is not able to
> > > negotiate a connection that the ldap server will accept.
> > >
> > > Any recommendations would be appreciated.
> > > --Bill
> > >
> > >
> > > --- ldap config from radiusd.conf
> > >
> > > ldap {
> > > server = "win-dc.win-dom.ctc.edu"
> > > port = 636
> > > identity = "CN=User\\, Asteroid,OU=System
> > > Accounts,OU=CIS,OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
> >
> > ** Is "CN=User\\, Asteroid,OU=System Accounts... a valid user with read
> > access to AD?
> >
> > > password = ""
> > > start_tls = yes
> > > basedn = "OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
> > > filter = "(SamAccountName=%u)"
> > > dictionary_mapping = ${raddbdir}/ldap.attrmap
> > > ldap_connections_number = 5
> > > timeout = 4
> > > timelimit = 3
> > > net_timeout = 1
> > > ldap_debug = 0x0028
> > > }
> <>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Authentication (MS Windows AD)
Thanks for the reply. Yes, it is a goofy name, but I am told it does
have read access on AD (it is in the 'domain user' group).
From: Dustin Doris <[EMAIL PROTECTED]> on Fri, 28 May 2004 13:16:20 -0400
>
> Is "CN=User\\, Asteroid,OU=System Accounts..." a valid user with read
> access to AD?
>
> > It seems that this should not be so hard; I am sure I am making a stupid
> > mistake somewhere, but I just don't see it.
> >
> > I am attempting to set up freeradius 0.9.3 (redhat) to use (initially) one
> > of several Windows 2003 AD for authentication. I am, however, unable to
> > get the first one to work. I have attached what I think are the relevant
> > log and configuration sections. The Windows admin is not seeing any
> > errors in her logs. On the radius side, it seems that radiusd is not able to
> > negotiate a connection that the ldap server will accept.
> >
> > Any recommendations would be appreciated.
> > --Bill
> >
> >
> > --- ldap config from radiusd.conf
> >
> > ldap {
> > server = "win-dc.win-dom.ctc.edu"
> > port = 636
> > identity = "CN=User\\, Asteroid,OU=System
> > Accounts,OU=CIS,OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
>
> ** Is "CN=User\\, Asteroid,OU=System Accounts... a valid user with read
> access to AD?
>
> > password = ""
> > start_tls = yes
> > basedn = "OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
> > filter = "(SamAccountName=%u)"
> > dictionary_mapping = ${raddbdir}/ldap.attrmap
> > ldap_connections_number = 5
> > timeout = 4
> > timelimit = 3
> > net_timeout = 1
> > ldap_debug = 0x0028
> > }
<>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP Authentication (MS Windows AD)
It seems that this should not be so hard; I am sure I am making a stupid
mistake somewhere, but I just don't see it.
I am attempting to set up freeradius 0.9.3 (redhat) to use (initially) one
of several Windows 2003 AD for authentication. I am, however, unable to
get the first one to work. I have attached what I think are the relevant
log and configuration sections. The Windows admin is not seeing any
errors in her logs. On the radius side, it seems that radiusd is not able to
negotiate a connection that the ldap server will accept.
Any recommendations would be appreciated.
--Bill
--- ldap config from radiusd.conf
ldap {
server = "win-dc.win-dom.ctc.edu"
port = 636
identity = "CN=User\\, Asteroid,OU=System
Accounts,OU=CIS,OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
password = ""
start_tls = yes
basedn = "OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
filter = "(SamAccountName=%u)"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
ldap_debug = 0x0028
}
I have tried various combinations of port 636 or 389, start_tls yes or no
with no sucsess.
--- radiusd -X -A
Module: Loaded LDAP
ldap: server = "win-dc.win-dom.ctc.edu"
ldap: port = 636
ldap: net_timeout = 1
ldap: timeout = 4
ldap: timelimit = 3
ldap: identity = "CN=User\, Asteroid,OU=System
Accounts,OU=CIS,OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
ldap: start_tls = yes
ldap: password = ""
ldap: basedn = "OU=Accounts,DC=WIN-DOM,DC=ctc,DC=edu"
ldap: filter = "(SamAccountName=%u)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "(null)"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 40
ldap: ldap_connections_number = 5
ldap: compare_check_items = no
ldap: access_attr_used_for_allow = yes
conns: (nil)
rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x81078a8
Module: Instantiated ldap (ldap)
<>
rad_recv: Access-Request packet from host 127.0.0.1:32792, id=174, length=58
User-Name = "jdummy"
User-Password = ""
NAS-IP-Address = 255
Re: Using kerberos for authentication -- multiple realms.
Alan, Thanks for your quick response. I put several more hours of testing in after I made this posting and determined it is almost certainly not a radius issue, but probably a PAM or Kerberos issue, so I am starting to dig deeper in those areas. The LDAP information is interesting and may prove to be the option I need to take if I can't get the Kerberos working soon. Thanks for your assistance. --Bill On Sun, May 09, 2004 at 08:34:48AM -0400, Alan DeKok wrote: > Bill Shaver <[EMAIL PROTECTED]> wrote: > > I need to add at least one more Kerberos realm (read MS Windows forest/AD) > > back-end authentication store. (These MS Windows forests do not trust > > each other.) On the radius server (computer), I can manually perform kinit > > requests against each krb5 realm just fine. My problem is how do I get > > freeradius (or PAM) to take the authentication request and direct it to > > the correct Kerberos server/realm. It seems this should not be that hard, > > I am probably missing something very basic. > > That would depend on pam_krb5. If it doesn't describe how to do > this, it probably can't. > > > -- I have looked into the rlm_krb, but have gotten nowhere (I can't > > find it in the RPMs, and I can't get it to compile). > > If it's not in the RPM's, it's probably because the Kerberos on RH > is different than the one in the module. > > You might try the latest CVS snapshot. The kerberos module may have > been updated. > > > -- I have looked at (although not experimented with) LDAP authentication, > > but it looks like I would have the same problem. > > I'm not sure why. You can have multiple instances of the LDAP > module, each pointing to a different back-end. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using kerberos for authentication -- multiple realms.
I am new to this list and am hoping for some assistance with my freeradius configuration. Please forgive me if this is a stupid qustion, but I am stumped. Background: Red Hat 9.0 Freeradius (from RH) The RPMs that seem most relevant are: freeradius-0.9.3-1 krb5-libs-1.2.7-14 krb5-workstation-1.2.7-14 pam_krb5-1.60-1 I have had it up and running fairly well for several months -- my compliments to the author(s). The relevant components in my configuration to this question are a Cisco VPN concentrator as the NAS and the radius server authenticates via PAM (PAM routes it as a Kerberos request to an MS Windows 2000 AD). The problem: I need to add at least one more Kerberos realm (read MS Windows forest/AD) back-end authentication store. (These MS Windows forests do not trust each other.) On the radius server (computer), I can manually perform kinit requests against each krb5 realm just fine. My problem is how do I get freeradius (or PAM) to take the authentication request and direct it to the correct Kerberos server/realm. It seems this should not be that hard, I am probably missing something very basic. Some other notes: -- I have looked into the rlm_krb, but have gotten nowhere (I can't find it in the RPMs, and I can't get it to compile). -- I would like to avoid setting up lots of proxies, it does not seem appropriate in this environment. -- I have looked at (although not experimented with) LDAP authentication, but it looks like I would have the same problem. Any pointers, even to existing documents I have not yet found, would be most appreciated. If it can't be done, feel free to tell me that too -- I will stop beating my head against this wall. Best Wishes, --Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
