RE: How do I set up simple AD integration?
-Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of King, Michael Sent: 11 April 2006 16:34 To: FreeRadius users mailing list Subject: RE: How do I set up simple AD integration? You would still needwith_ntdomain_hack = yes But that isn't your actual problem. It never called ntlm_auth I'd seen that. What I was trying to do (unsuccessfully 'cos I'm ignorant) was to try to find out what triggers ntlm_auth to run. Is there something in another file that sets this up? Steve. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
-Original Message- From: Stephen Walsh [mailto:[EMAIL PROTECTED] Sent: 12 April 2006 00:41 To: Burton, Steven Subject: Re: How do I set up simple AD integration? Hi Steve I've just completed an AD implementation of FreeRadius across two AD domains, One AD2003 in Native mode, and one AD2000 in mixed mode. If you'd like any hints or tips, feel free to email me and I'll do what i can to help. Stephen Walsh [EMAIL PROTECTED] Stephen, thanks for your kind offer of help. What I'm trying to achieve is to get 802.1x authentication working with FreeRadius passing off authentication to a Win2003 (Win 2000 mixed mode, soon to be 2003 native) DC. When the user tried to connect to the network I can see his domain\username in the output of radiusd -A -X which (I think) suggests that the supplicant and client are setup correctly. There seems to be no attempt by the RADIUS server to contact a DC. I don't want to take too much of your time but would it be possible for you to send me any (suitably sanitized) configuration files you have customized ? If this is unacceptable I'll send you details of what I've done so far. Steve. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
-Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of Alan DeKok Sent: 11 April 2006 16:28 To: FreeRadius users mailing list Subject: Re: How do I set up simple AD integration? Burton, Steven [EMAIL PROTECTED] wrote: This stanza is a enclosed with the mschap section, still nothing ventured I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output: You can't do CHAP to MS AD. It's impossible. Alan DeKok. My bad! I'd been staring at mschap all day and I saw chap and thought mschap. I still hope to get 802.1x working with FR before I'm told to stop wasting time and buy something :-) but after two and a half days (on and off) I'm no closer. Steve. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
-Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of Josh Howlett Sent: 12 April 2006 11:48 To: FreeRadius users mailing list Subject: Re: How do I set up simple AD integration? Burton, Steven wrote: -Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of Alan DeKok Sent: 11 April 2006 16:28 To: FreeRadius users mailing list Subject: Re: How do I set up simple AD integration? Burton, Steven [EMAIL PROTECTED] wrote: This stanza is a enclosed with the mschap section, still nothing ventured I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output: You can't do CHAP to MS AD. It's impossible. Alan DeKok. My bad! I'd been staring at mschap all day and I saw chap and thought mschap. I still hope to get 802.1x working with FR before I'm told to stop wasting time and buy something :-) but after two and a half days (on and off) I'm no closer. Steve, I strongly suggest you start off doing PEAP against the 'users' file, and once that's working get the domain stuff working. It sounds to me like you're trying to do too much at once, and too many things are broken for you to know where to start! Once you've got PEAP working against the 'users' file, create a machine account in the AD for the RADIUS server (using the Samba tools) and then use the ntlm_auth program (that comes with Samba) to test standard authentication. Once you've got that far, it's just a matter of configuring FreeRADIUS to use ntlm_auth. But you can worry about that later :-) This isn't difficult, it's largely a matter of making sure you do the right steps in the right order... best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Well, IT'S WORKING!! Thank you all for your help, advice and support. Alas, I didn't backup the files last night so I'm not sure exactly what I did to make it work but I can now see it authenticating and then the connection is made. I have set it to put user names in the log and I hope to have it write accounting logs soon. More worryingly, I'm seeing this error message in radiusd.log: Wed Apr 12 13:20:48 2006 : Info: rlm_exec: Wait=yes but no output defined. Did y ou mean output=none? Wed Apr 12 13:20:48 2006 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed Apr 12 13:20:48 2006 : Info: Ready to process requests. Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert ificate A Wed Apr 12 13:21:06 2006 : Info: rlm_eap_mschapv2: Issuing Challenge Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost port 0) Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5 0.45 port 26 cli 0012f0311af1) Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert ificate A Wed Apr 12 13:21:07 2006 : Info: rlm_eap_mschapv2: Issuing Challenge Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost port 0) Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5 0.45 port 26 cli 0012f0311af1) AFAIK there is no certificate A on the client (or supplicant) so the error message is probably correct but is it a problem in security terms? __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I set up simple AD integration?
Hi, I am trying to set up FreeRadius 1.1.1 on FreeBSD 6.0 REL with user integration with Active directory for a Windows 2003 domain currently in Win2000 mixed mode. My final object is to authenticate user-connections through a wireless AP. I have setup Samba 3 and successfully joined the Windows domain. I have tried: # wbinfo -u # wbinfo -g # wbinfo -a username%password # ntlm_auth --request-nt-key --domain=domain --username= username and all ran/authenticated successfully. I have built and installed FreeRadius 1.1.1 from the FreeBSD port and copied: acct_users clients.conf dictionary eap.conf hints huntgroups preproxy_users proxy.conf radiusd.conf realms snmp.conf sql.conf users from the *.sample files provided and added my PC as a client (for NTRadPing) and a 802.11g AP with matching shared secrets and type 'other' I have uncommented the example user 'steve' in users and I can get an 'Access-Accept' using NTRadPing with Steve's credentials so I know that local users are working. If I point NTRadPing at our Funk SBR server and my Windows username and password I can get an 'Access-Accept' so, initially, I would like to emulate this operation before I get involved with MSCHAPv2 PEAP etc. However, although I can see tantalizing references to 'ntlm_auth' and 'ntdomain' and the like in various files I cannot see how to trigger an AD lookup from a RADIUS request. So far all I have achieved is: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log main: libdir = /usr/local/lib main: radacctdir = /var/log/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file =
RE: How do I set up simple AD integration?
-Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of King, Michael Sent: 11 April 2006 15:40 To: FreeRadius users mailing list Subject: RE: How do I set up simple AD integration? Is there a how-to or tutorial for this simple case? I have searched this list and google generally. I have read the articles referred to on the FreeRadius home page and several others and I still can't see how the configuration works. Any and all help gratefully received. Steve. As for the simple how to, they're a few, but none that I would consider easy to follow. What your looking for this the following lines: (I have two ntlm_auth Lines, the original that is commented out, and the one that I use. They are long, so they will break across lines, but they are not that way in my config file) # Windows sends us a username in the form of # DOMAIN\user, but sends the challenge response # based on only the user portion. This hack # corrects for that incorrect behavior. # with_ntdomain_hack = yes # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration # directive tells the module to call the ntlm_auth # program, which will do the authentication, and return # the NT-Key. Note that you MUST have winbindd and # nmbd running on the local machine for ntlm_auth # to work. See the ntlm_auth program documentation # for details. # # Be VERY careful when editing the following line! # #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response} This stanza is a enclosed with the mschap section, still nothing ventured I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log main: libdir = /usr/local/lib main: radacctdir = /var/log/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = /usr/local/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name}
RE: How do I set up simple AD integration?
-Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of Burton, Steven Sent: 11 April 2006 16:15 To: FreeRadius users mailing list Subject: RE: How do I set up simple AD integration? -Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of King, Michael Sent: 11 April 2006 15:40 To: FreeRadius users mailing list Subject: RE: How do I set up simple AD integration? Is there a how-to or tutorial for this simple case? I have searched this list and google generally. I have read the articles referred to on the FreeRadius home page and several others and I still can't see how the configuration works. Any and all help gratefully received. Steve. As for the simple how to, they're a few, but none that I would consider easy to follow. What your looking for this the following lines: (I have two ntlm_auth Lines, the original that is commented out, and the one that I use. They are long, so they will break across lines, but they are not that way in my config file) # Windows sends us a username in the form of # DOMAIN\user, but sends the challenge response # based on only the user portion. This hack # corrects for that incorrect behavior. # with_ntdomain_hack = yes # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration # directive tells the module to call the ntlm_auth # program, which will do the authentication, and return # the NT-Key. Note that you MUST have winbindd and # nmbd running on the local machine for ntlm_auth # to work. See the ntlm_auth program documentation # for details. # # Be VERY careful when editing the following line! # #ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%{mschap:NT-Response} This stanza is a enclosed with the mschap section, still nothing ventured I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log main: libdir = /usr/local/lib main: radacctdir = /var/log/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr