RE: How do I set up simple AD integration?
-Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of King, Michael Sent: 11 April 2006 16:34 To: FreeRadius users mailing list Subject: RE: How do I set up simple AD integration? You would still needwith_ntdomain_hack = yes But that isn't your actual problem. It never called ntlm_auth I'd seen that. What I was trying to do (unsuccessfully 'cos I'm ignorant) was to try to find out what triggers ntlm_auth to run. Is there something in another file that sets this up? Steve. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
-Original Message- From: Stephen Walsh [mailto:[EMAIL PROTECTED] Sent: 12 April 2006 00:41 To: Burton, Steven Subject: Re: How do I set up simple AD integration? Hi Steve I've just completed an AD implementation of FreeRadius across two AD domains, One AD2003 in Native mode, and one AD2000 in mixed mode. If you'd like any hints or tips, feel free to email me and I'll do what i can to help. Stephen Walsh [EMAIL PROTECTED] Stephen, thanks for your kind offer of help. What I'm trying to achieve is to get 802.1x authentication working with FreeRadius passing off authentication to a Win2003 (Win 2000 mixed mode, soon to be 2003 native) DC. When the user tried to connect to the network I can see his domain\username in the output of radiusd -A -X which (I think) suggests that the supplicant and client are setup correctly. There seems to be no attempt by the RADIUS server to contact a DC. I don't want to take too much of your time but would it be possible for you to send me any (suitably sanitized) configuration files you have customized ? If this is unacceptable I'll send you details of what I've done so far. Steve. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
-Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of Alan DeKok Sent: 11 April 2006 16:28 To: FreeRadius users mailing list Subject: Re: How do I set up simple AD integration? Burton, Steven [EMAIL PROTECTED] wrote: This stanza is a enclosed with the mschap section, still nothing ventured I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output: You can't do CHAP to MS AD. It's impossible. Alan DeKok. My bad! I'd been staring at mschap all day and I saw chap and thought mschap. I still hope to get 802.1x working with FR before I'm told to stop wasting time and buy something :-) but after two and a half days (on and off) I'm no closer. Steve. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
-Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of Josh Howlett Sent: 12 April 2006 11:48 To: FreeRadius users mailing list Subject: Re: How do I set up simple AD integration? Burton, Steven wrote: -Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of Alan DeKok Sent: 11 April 2006 16:28 To: FreeRadius users mailing list Subject: Re: How do I set up simple AD integration? Burton, Steven [EMAIL PROTECTED] wrote: This stanza is a enclosed with the mschap section, still nothing ventured I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output: You can't do CHAP to MS AD. It's impossible. Alan DeKok. My bad! I'd been staring at mschap all day and I saw chap and thought mschap. I still hope to get 802.1x working with FR before I'm told to stop wasting time and buy something :-) but after two and a half days (on and off) I'm no closer. Steve, I strongly suggest you start off doing PEAP against the 'users' file, and once that's working get the domain stuff working. It sounds to me like you're trying to do too much at once, and too many things are broken for you to know where to start! Once you've got PEAP working against the 'users' file, create a machine account in the AD for the RADIUS server (using the Samba tools) and then use the ntlm_auth program (that comes with Samba) to test standard authentication. Once you've got that far, it's just a matter of configuring FreeRADIUS to use ntlm_auth. But you can worry about that later :-) This isn't difficult, it's largely a matter of making sure you do the right steps in the right order... best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, IT'S WORKING!! Thank you all for your help, advice and support. Alas, I didn't backup the files last night so I'm not sure exactly what I did to make it work but I can now see it authenticating and then the connection is made. I have set it to put user names in the log and I hope to have it write accounting logs soon. More worryingly, I'm seeing this error message in radiusd.log: Wed Apr 12 13:20:48 2006 : Info: rlm_exec: Wait=yes but no output defined. Did y ou mean output=none? Wed Apr 12 13:20:48 2006 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed Apr 12 13:20:48 2006 : Info: Ready to process requests. Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert ificate A Wed Apr 12 13:21:06 2006 : Info: rlm_eap_mschapv2: Issuing Challenge Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost port 0) Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5 0.45 port 26 cli 0012f0311af1) Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert ificate A Wed Apr 12 13:21:07 2006 : Info: rlm_eap_mschapv2: Issuing Challenge Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost port 0) Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5 0.45 port 26 cli 0012f0311af1) AFAIK there is no certificate A on the client (or supplicant) so the error message is probably correct but is it a problem in security terms? __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I set up simple AD integration?
Hi,
I am trying to set up FreeRadius 1.1.1 on FreeBSD 6.0 REL with user integration
with Active directory for a Windows 2003 domain currently in Win2000 mixed
mode. My final object is to authenticate user-connections through a wireless AP.
I have setup Samba 3 and successfully joined the Windows domain. I have tried:
# wbinfo -u
# wbinfo -g
# wbinfo -a username%password
# ntlm_auth --request-nt-key --domain=domain --username= username
and all ran/authenticated successfully.
I have built and installed FreeRadius 1.1.1 from the FreeBSD port and copied:
acct_users
clients.conf
dictionary
eap.conf
hints
huntgroups
preproxy_users
proxy.conf
radiusd.conf
realms
snmp.conf
sql.conf
users
from the *.sample files provided and added my PC as a client (for NTRadPing)
and a 802.11g AP with matching shared secrets and type 'other'
I have uncommented the example user 'steve' in users and I can get an
'Access-Accept' using NTRadPing with Steve's credentials so I know that local
users are working.
If I point NTRadPing at our Funk SBR server and my Windows username and
password I can get an 'Access-Accept' so, initially, I would like to emulate
this operation before I get involved with MSCHAPv2 PEAP etc.
However, although I can see tantalizing references to 'ntlm_auth' and
'ntdomain' and the like in various files I cannot see how to trigger an AD
lookup from a RADIUS request. So far all I have achieved is:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /var
main: logdir = /var/log
main: libdir = /usr/local/lib
main: radacctdir = /var/log/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem
tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem
tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /usr/local/etc/raddb/certs/dh
tls: random_file =
RE: How do I set up simple AD integration?
-Original Message-
From:
[EMAIL PROTECTED]
ists.freer
adius.org
[mailto:freeradius-users-bounces+sburton=shepherd-construction
[EMAIL PROTECTED]
ts.freeradius.org]On Behalf Of King, Michael
Sent: 11 April 2006 15:40
To: FreeRadius users mailing list
Subject: RE: How do I set up simple AD integration?
Is there a how-to or tutorial for this simple case? I have
searched this list and google generally. I have read the
articles referred to on the FreeRadius home page and several
others and I still can't see how the configuration works. Any
and all help gratefully received.
Steve.
As for the simple how to, they're a few, but none that I
would consider
easy to follow.
What your looking for this the following lines: (I have
two ntlm_auth
Lines, the original that is commented out, and the one that I
use. They
are long, so they will break across lines, but they are not
that way in
my config file)
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
with_ntdomain_hack = yes
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication,
and return
# the NT-Key. Note that you MUST have winbindd and
# nmbd running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
#ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}
This stanza is a enclosed with the mschap section, still nothing ventured
I changed the line and unfolded it and ran radiusd -X. The first request didn't
match anything usefull and was rejected by System. I tried again but ticked the
box 'CHAP' on NTRadPing and got the output:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /var
main: logdir = /var/log
main: libdir = /usr/local/lib
main: radacctdir = /var/log/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
mschap: ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name}
RE: How do I set up simple AD integration?
-Original Message-
From:
[EMAIL PROTECTED]
ists.freer
adius.org
[mailto:freeradius-users-bounces+sburton=shepherd-construction
[EMAIL PROTECTED]
ts.freeradius.org]On Behalf Of Burton, Steven
Sent: 11 April 2006 16:15
To: FreeRadius users mailing list
Subject: RE: How do I set up simple AD integration?
-Original Message-
From:
[EMAIL PROTECTED]
ists.freer
adius.org
[mailto:freeradius-users-bounces+sburton=shepherd-construction
[EMAIL PROTECTED]
ts.freeradius.org]On Behalf Of King, Michael
Sent: 11 April 2006 15:40
To: FreeRadius users mailing list
Subject: RE: How do I set up simple AD integration?
Is there a how-to or tutorial for this simple case? I have
searched this list and google generally. I have read the
articles referred to on the FreeRadius home page and several
others and I still can't see how the configuration works. Any
and all help gratefully received.
Steve.
As for the simple how to, they're a few, but none that I
would consider
easy to follow.
What your looking for this the following lines: (I have
two ntlm_auth
Lines, the original that is commented out, and the one that I
use. They
are long, so they will break across lines, but they are not
that way in
my config file)
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
with_ntdomain_hack = yes
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This
configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication,
and return
# the NT-Key. Note that you MUST have
winbindd and
# nmbd running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
#ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}
This stanza is a enclosed with the mschap section, still
nothing ventured
I changed the line and unfolded it and ran radiusd -X. The
first request didn't match anything usefull and was rejected
by System. I tried again but ticked the box 'CHAP' on
NTRadPing and got the output:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /var
main: logdir = /var/log
main: libdir = /usr/local/lib
main: radacctdir = /var/log/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr
