Add $ to end of machine account uid
I need machines to be able to authenticate so that when a user who has never logged onto a computer can, by the machine have an active network connection and pulling the credentials from the samba-ldap domain. I have a realm setup to strip the domain/ part of the username which works fine, but I need to figure out how to add a $ at the end of anything that tries to connect as uid=host/computername. I'm sure I can figure out how to strip the host prefix, but can't quit figure out how to add the $ to the end. Thanks. -- Cody Jarrett IT Freedom [EMAIL PROTECTED] Office: 512.419.0070 Fax: 512.419.0080 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add $ to end of machine account uid
I've about got it, but now I am getting an eap error about the username isn't correct. I added this about preprocess: attr_rewrite add-dollar-sign { attribute = User-Name searchfor = ^host/(.*) searchin = packet new_attribute = no replacewith = %{1}$ } I've added add-dollar-sign to authorize { section. rad_recv: Access-Request packet from host 10.1.22.11:2135, id=64, length=168 NAS-IP-Address = 10.1.22.11 NAS-Port-Type = Wireless-802.11 NAS-Port = 12 Framed-MTU = 1400 User-Name = host/itf-toshiba-asd Calling-Station-Id = 000e35ff2a82 Called-Station-Id = 00186ecfa600 NAS-Identifier = ap01.intranet.domain.com EAP-Message = 0x02010019234486f73742f6974662d746f73686962612d617364 Message-Authenticator = 0x2b72b4ab80aaf3aa96b4613f3ab872341d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 radius_xlat: '^host/(.*)' radius_xlat: 'itf-toshiba-asd$' rlm_attr_rewrite: Changed value for attribute User-Name from 'host/itf-toshiba-asd' to 'itf-toshiba-asd$' modcall[authorize]: module add-dollar-sign returns ok for request 2 modcall[authorize]: module preprocess returns ok for request 2 modcall[authorize]: module chap returns noop for request 2 modcall[authorize]: module mschap returns noop for request 2 rlm_realm: No '\' in User-Name = itf-toshiba-asd$, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module DOMAIN returns noop for request 2 rlm_eap: EAP packet type response id 1 length 25 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 2 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=domain,dc=com' radius_xlat: '(uid=itf-toshiba-asd$)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=itf-toshiba-asd$) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '((objectClass=posixGroup)(memberUid=itf-toshiba-asd$))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter ((cn=wireless)((objectClass=posixGroup)(memberUid=itf-toshiba-asd$))) rlm_ldap::ldap_groupcmp: User found in group wireless rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module files returns notfound for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for itf-toshiba-asd$ radius_xlat: '(uid=itf-toshiba-asd$)' radius_xlat: 'dc=domain,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=domain,dc=com, with filter (uid=itf-toshiba-asd$) rlm_ldap: checking if remote access for itf-toshiba-asd$ is allowed by uid rlm_ldap: looking for check items in directory... rlm_ldap: Adding sambaAcctFlags as SMB-Account-CTRL-TEXT, value [W ] op=21 rlm_ldap: Adding sambaNTPassword as NT-Password, value 78389E5DE0CCA3A288568FADB746063D op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user itf-toshiba-asd$ authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler modcall[authenticate]: module eap returns invalid for request 2 modcall: leaving group authenticate (returns invalid) for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds [EMAIL PROTECTED] wrote: Hi, I need machines to be able to authenticate so that when a user who has never logged onto a computer can, by the machine have an active network connection and pulling the credentials from the samba-ldap domain. I have a realm setup to strip the domain/ part of the username which works fine, but I need to figure out how to add a $ at the end of anything that tries to connect as uid=host/computername. I'm sure I can figure out how to strip the host prefix, but can't quit figure out how to add the $ to the end. Thanks. use the link on the novell site as per the discussions earlier today. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add $ to end of machine account uid
Ok, did that, and the connection gets farther now. I don't quite understand how to get the other modules to use the stripped-user-name now. rlm_attr_rewrite: Added attribute Stripped-User-Name with value 'host/itf-toshiba-asd' modcall[authorize]: module copy.user-name returns ok for request 6 radius_xlat: '^host/(.*)' radius_xlat: 'itf-toshiba-asd$' rlm_attr_rewrite: Changed value for attribute Stripped-User-Name from 'host/itf-toshiba-asd' to 'itf-toshiba-asd$' modcall[authorize]: module add-dollar-sign returns ok for request 6 modcall[authorize]: module chap returns noop for request 6 modcall[authorize]: module preprocess returns ok for request 6 modcall[authorize]: module mschap returns noop for request 6 rlm_realm: No '\' in User-Name = host/itf-toshiba-asd, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module DOMAIN returns noop for request 6 rlm_eap: EAP packet type response id 7 length 102 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 6 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'dc=domain,dc=com' radius_xlat: '(uid=itf-toshiba-asd$)' _ rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled EAP-Message EAP-Message = a0203913657d182f94d6ad94beee83e800686f73742f6974662d746f73686962612d617364 PEAP: Setting User-Name to host/itf-toshiba-asd attr_rewrite copy.user-name { attribute = Stripped-User-Name new_attribute = yes searchfor = searchin = packet replacewith = %{User-Name} } attr_rewrite add-dollar-sign { attribute = Stripped-User-Name searchfor = ^host/(.*) searchin = packet new_attribute = no replacewith = %{1}$ } authorize { copy.user-name add-dollar-sign chap preprocess mschap DOMAIN eap files ldap } [EMAIL PROTECTED] wrote: Hi, I've about got it, but now I am getting an eap error about the username isn't correct. I added this about preprocess: attr_rewrite add-dollar-sign { attribute = User-Name searchfor = ^host/(.*) searchin = packet new_attribute = no replacewith = %{1}$ } you cannot play with User-Name - that is returned in the EAP conversation and if it has changed then the auth wont work. copy the value to eg Stripped-User-Name and then use that variable to do the auth with (as per that example page) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Password in Radius Debug
I notice the password during supplicant connects to the radius server are displayed in plain text. Is there a way to disable this? -- Cody Jarrett IT Freedom [EMAIL PROTECTED] Office: 512.419.0070 Fax: 512.419.0080 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap Group Membership Requirements
I'm trying to require a user to be a member of the wireless group in ldap to be able to join the wireless. All users can currently join the wireless. I can't find very much documentation on the groupmembers* lines in the ldap section of radius.conf. Basically trying to figure out what I need to add to these lines: groupname_attribute, groupmembership_filter, and groupmembership_attribute. Also not sure if I need to add something to users file like: DEFAULT LDAP-Group == wireless. Can anyone provide input on what I need to configure, Thanks. wireless group in ldap, you can see cjarrett is a member: dn: cn=wireless,ou=Groups,dc=itfreedom,dc=com objectClass: posixGroup cn: wireless gidNumber: 1011 memberUid: cjarrett - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius PEAP and Wireless
Alan Dekok wrote: Cody Jarrett wrote: I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, Then you won't be doing PEAP. It requires TLS and certificates. Is what I want possible then? And if so could you provide me with details on what its called or how its configured? ... rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. What is unclear about that message? It's telling you that you need TLS for PEAP to work. All of the howto's show that you have to configure TLS before PEAP. The comments in eap.conf say you have to configure TLS before PEAP. What's the problem? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attribute User-Password is required for authentication
I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get: rlm_pam: Attribute User-Password is required for authentication. modcall[authenticate]: module pam returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user. Is the 3com not sending User-Password attributes in the packets, or is something else wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute User-Password is required for authentication
rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Had sent TLV failure. User was rejcted rejected earlier in this session. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.1.22.10:2626, id=7, length=228 Sending Access-Reject of id 7 to 10.1.22.10 port 2626 EAP-Message = 0x04070004 Message-Authenticator = 0x --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 4676f842 Waking up in 1 seconds... [EMAIL PROTECTED] wrote: You are forcing Auth-Type PAM and doing EAP. Where is Auth-Type coming from? One of the DEFAULT entries? Don't set Auth-Type! Let the server swich to one that's needed. Ivan Kalik Kalik Informatika ISP Dana 18/6/2007, Cody Jarrett [EMAIL PROTECTED] piše: Sorry, 10.1.22.10 is the ip of my 3com. rad_recv: Access-Request packet from host 10.1.22.10:2458, id=0, length=185 Message-Authenticator = 0xb0ba1aec817dfd6ab3fc3b0e49fb1125 Service-Type = Framed-User User-Name = cjarrett Framed-MTU = 1488 Called-Station-Id = 00-0F-CB-FC-3E-5F:CJ Test Calling-Station-Id = 00-0E-35-FF-2A-82 NAS-Identifier = AP11G NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020d01636a617272657474 NAS-IP-Address = 10.1.22.10 NAS-Port = 2 NAS-Port-Id = STA port # 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = cjarrett, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 177 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type pam auth: type PAM Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_pam: Attribute User-Password is required for authentication. modcall[authenticate]: module pam returns invalid for request 0 modcall: leaving group authenticate (returns invalid) for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 10.1.22.10 port 2458 Waking up in 4 seconds... Kevin Bonner wrote: On Monday 18 June 2007 16:31:37 Cody Jarrett wrote: I found a few topics on this issue but nothing quite informative enough. I'm trying to get freeradius auth working with pam and peap. When I test my config with radtest, I get Access-accept. When I use a windows XP supplicant with a 3com access point, I get: rlm_pam: Attribute User-Password is required for authentication. modcall[authenticate]: module pam returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user. Is the 3com not sending User-Password attributes in the packets, or is something else wrong? Run FreeRADIUS in debug mode (radiusd -X) to verify. We cannot guess what your NAS/client is sending. -Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http
Freeradius PEAP and Wireless
I'm trying to setup freeradius with ldap for use with a wireless network. I don't want to have to deal with tls and certificates if possible, I would just like for users to use their username and password to connect. The radius config for ldap is pretty easy, but I'm having a problem when trying to enable peap as my default eap type. I've done so in my eap.conf which I've included and a section of debug when trying to start radiusd. Appreciate any info. When trying to start radiusd: Module: Instantiated ldap (ldap) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Unable to load EAP-Type/peap, as EAP-Type/TLS is required first. radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1939] Unknown module eap. radiusd.conf[1886] Failed to parse authenticate section. eap.conf basically, everything else is commented out. eap { default_eap_type = peap peap { default_eap_type = mschapv2 } mschapv2 { } } -- Cody Jarrett IT Freedom [EMAIL PROTECTED] Office: 512.419.0070 Fax: 512.419.0080 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html