Add $ to end of machine account uid
I need machines to be able to authenticate so that when a user who has never logged onto a computer can, by the machine have an active network connection and pulling the credentials from the samba-ldap domain. I have a realm setup to strip the domain/ part of the username which works fine, but I need to figure out how to add a $ at the end of anything that tries to connect as uid=host/computername. I'm sure I can figure out how to strip the host prefix, but can't quit figure out how to add the $ to the end. Thanks. -- Cody Jarrett IT Freedom [EMAIL PROTECTED] Office: 512.419.0070 Fax: 512.419.0080 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add $ to end of machine account uid
I've about got it, but now I am getting an eap error about the username
isn't correct.
I added this about preprocess:
attr_rewrite add-dollar-sign {
attribute = User-Name
searchfor = ^host/(.*)
searchin = packet
new_attribute = no
replacewith = %{1}$
}
I've added add-dollar-sign to authorize { section.
rad_recv: Access-Request packet from host 10.1.22.11:2135, id=64, length=168
NAS-IP-Address = 10.1.22.11
NAS-Port-Type = Wireless-802.11
NAS-Port = 12
Framed-MTU = 1400
User-Name = host/itf-toshiba-asd
Calling-Station-Id = 000e35ff2a82
Called-Station-Id = 00186ecfa600
NAS-Identifier = ap01.intranet.domain.com
EAP-Message = 0x02010019234486f73742f6974662d746f73686962612d617364
Message-Authenticator = 0x2b72b4ab80aaf3aa96b4613f3ab872341d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
radius_xlat: '^host/(.*)'
radius_xlat: 'itf-toshiba-asd$'
rlm_attr_rewrite: Changed value for attribute User-Name from
'host/itf-toshiba-asd' to 'itf-toshiba-asd$'
modcall[authorize]: module add-dollar-sign returns ok for request 2
modcall[authorize]: module preprocess returns ok for request 2
modcall[authorize]: module chap returns noop for request 2
modcall[authorize]: module mschap returns noop for request 2
rlm_realm: No '\' in User-Name = itf-toshiba-asd$, looking up
realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module DOMAIN returns noop for request 2
rlm_eap: EAP packet type response id 1 length 25
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 2
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=domain,dc=com'
radius_xlat: '(uid=itf-toshiba-asd$)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter
(uid=itf-toshiba-asd$)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat: '((objectClass=posixGroup)(memberUid=itf-toshiba-asd$))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter
((cn=wireless)((objectClass=posixGroup)(memberUid=itf-toshiba-asd$)))
rlm_ldap::ldap_groupcmp: User found in group wireless
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module files returns notfound for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for itf-toshiba-asd$
radius_xlat: '(uid=itf-toshiba-asd$)'
radius_xlat: 'dc=domain,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=com, with filter
(uid=itf-toshiba-asd$)
rlm_ldap: checking if remote access for itf-toshiba-asd$ is allowed by uid
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value
[W ] op=21
rlm_ldap: Adding sambaNTPassword as NT-Password, value
78389E5DE0CCA3A288568FADB746063D op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user itf-toshiba-asd$ authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Identity does not match User-Name, setting from EAP Identity.
rlm_eap: Failed in handler
modcall[authenticate]: module eap returns invalid for request 2
modcall: leaving group authenticate (returns invalid) for request 2
auth: Failed to validate the user.
Delaying request 2 for 1 seconds
[EMAIL PROTECTED] wrote:
Hi,
I need machines to be able to authenticate so that when a user who has
never logged onto a computer can, by the machine have an active network
connection and pulling the credentials from the samba-ldap domain. I
have a realm setup to strip the domain/ part of the username which works
fine, but I need to figure out how to add a $ at the end of anything
that tries to connect as uid=host/computername. I'm sure I can figure
out how to strip the host prefix, but can't quit figure out how to add
the $ to the end. Thanks.
use the link on the novell site as per the discussions earlier today.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add $ to end of machine account uid
Ok, did that, and the connection gets farther now. I don't quite
understand how to get the other modules to use the stripped-user-name now.
rlm_attr_rewrite: Added attribute Stripped-User-Name with value
'host/itf-toshiba-asd'
modcall[authorize]: module copy.user-name returns ok for request 6
radius_xlat: '^host/(.*)'
radius_xlat: 'itf-toshiba-asd$'
rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from
'host/itf-toshiba-asd' to 'itf-toshiba-asd$'
modcall[authorize]: module add-dollar-sign returns ok for request 6
modcall[authorize]: module chap returns noop for request 6
modcall[authorize]: module preprocess returns ok for request 6
modcall[authorize]: module mschap returns noop for request 6
rlm_realm: No '\' in User-Name = host/itf-toshiba-asd, looking up
realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module DOMAIN returns noop for request 6
rlm_eap: EAP packet type response id 7 length 102
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 6
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'dc=domain,dc=com'
radius_xlat: '(uid=itf-toshiba-asd$)'
_
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Got tunneled EAP-Message
EAP-Message =
a0203913657d182f94d6ad94beee83e800686f73742f6974662d746f73686962612d617364
PEAP: Setting User-Name to host/itf-toshiba-asd
attr_rewrite copy.user-name {
attribute = Stripped-User-Name
new_attribute = yes
searchfor =
searchin = packet
replacewith = %{User-Name}
}
attr_rewrite add-dollar-sign {
attribute = Stripped-User-Name
searchfor = ^host/(.*)
searchin = packet
new_attribute = no
replacewith = %{1}$
}
authorize {
copy.user-name
add-dollar-sign
chap
preprocess
mschap
DOMAIN
eap
files
ldap
}
[EMAIL PROTECTED] wrote:
Hi,
I've about got it, but now I am getting an eap error about the username
isn't correct.
I added this about preprocess:
attr_rewrite add-dollar-sign {
attribute = User-Name
searchfor = ^host/(.*)
searchin = packet
new_attribute = no
replacewith = %{1}$
}
you cannot play with User-Name - that is returned in the EAP
conversation and if it has changed then the auth wont work.
copy the value to eg Stripped-User-Name and then use that variable
to do the auth with (as per that example page)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password in Radius Debug
I notice the password during supplicant connects to the radius server are displayed in plain text. Is there a way to disable this? -- Cody Jarrett IT Freedom [EMAIL PROTECTED] Office: 512.419.0070 Fax: 512.419.0080 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap Group Membership Requirements
I'm trying to require a user to be a member of the wireless group in ldap to be able to join the wireless. All users can currently join the wireless. I can't find very much documentation on the groupmembers* lines in the ldap section of radius.conf. Basically trying to figure out what I need to add to these lines: groupname_attribute, groupmembership_filter, and groupmembership_attribute. Also not sure if I need to add something to users file like: DEFAULT LDAP-Group == wireless. Can anyone provide input on what I need to configure, Thanks. wireless group in ldap, you can see cjarrett is a member: dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com objectClass: posixGroup cn: wireless gidNumber: 1011 memberUid: cjarrett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Alan Dekok wrote: Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. Is what I want possible then? And if so could you provide me with details on what its called or how its configured? ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attribute User-Password is required for authentication
I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get: rlm_pam: Attribute User-Password is required for authentication. modcall[authenticate]: module pam returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user. Is the 3com not sending User-Password attributes in the packets, or is something else wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute User-Password is required for authentication
rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=7, length=228 Sending Access-Reject of id 7 to 10.1.22.10 port 2626 EAP-Message = 0x04070004 Message-Authenticator = 0x --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 4676f842 Waking up in 1 seconds... [EMAIL PROTECTED] wrote: You are forcing Auth-Type PAM and doing EAP. Where is Auth-Type coming from? One of the DEFAULT entries? Don't set Auth-Type! Let the server swich to one that's needed. Ivan Kalik Kalik Informatika ISP Dana 18/6/2007, Cody Jarrett [EMAIL PROTECTED] piše: Sorry, 10.1.22.10 is the ip of my 3com. rad_recv: Access-Request packet from host 10.1.22.10:2458, id=0, length=185 Message-Authenticator = 0xb0ba1aec817dfd6ab3fc3b0e49fb1125 Service-Type = Framed-User User-Name = cjarrett Framed-MTU = 1488 Called-Station-Id = 00-0F-CB-FC-3E-5F:CJ Test Calling-Station-Id = 00-0E-35-FF-2A-82 NAS-Identifier = AP11G NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020d01636a617272657474 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = STA port # 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = cjarrett, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 177 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pam auth: type PAM Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_pam: Attribute User-Password is required for authentication. modcall[authenticate]: module pam returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.1.22.10 port 2458 Waking up in 4 seconds... Kevin Bonner wrote: On Monday 18 June 2007 16:31:37 Cody Jarrett wrote: I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get: rlm_pam: Attribute User-Password is required for authentication. modcall[authenticate]: module pam returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user. Is the 3com not sending User-Password attributes in the packets, or is something else wrong? Run FreeRADIUS in debug mode (radiusd -X) to verify. We cannot guess what your NAS/client is sending. -Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http
Freeradius PEAP and Wireless
I'm trying to setup freeradius with ldap for use with a wireless
network. I don't want to have to deal with tls and certificates if
possible, I would just like for users to use their username and password
to connect. The radius config for ldap is pretty easy, but I'm having a
problem when trying to enable peap as my default eap type. I've done so
in my eap.conf which I've included and a section of debug when trying to
start radiusd. Appreciate any info.
When trying to start radiusd:
Module: Instantiated ldap (ldap)
Module: Loaded eap
eap: default_eap_type = peap
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first.
radiusd.conf[10]: eap: Module instantiation failed.
radiusd.conf[1939] Unknown module eap.
radiusd.conf[1886] Failed to parse authenticate section.
eap.conf basically, everything else is commented out.
eap {
default_eap_type = peap
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
--
Cody Jarrett
IT Freedom
[EMAIL PROTECTED]
Office: 512.419.0070
Fax: 512.419.0080
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
