RE: Ldap group troubles
Upgrading is what broke this functionality. It works with version 1.0.1. Sometime after that a change was made to rlm_ldap.c. This change modified the ldap_escape_func() function. The way this function works in 1.1.4 and up is different than 1.0.1. Basically, it didn't escape anything in 1.0.1 and now it does. What we see in 1.1.4/1.1.6 is that a UserDN returned from AD using OpenLDAP looks like this: CN=Lastname\,Firstname, CN=bla,DC=bla After the ldap_escape_func() returns it looks like this: CN\\3dLastname\\5c\\5c\\2cFirstname\\2cCN\\3dbla\\2cDC\\3dbla The \, gets escaped then translated and becomes \\5c\\5c\\2c which doesn't match \, in the member= results of the group. Any ideas where the extra \\5c is coming from? Brian Dourty System Administrator - Team Lead Division of IT University of Missouri - Columbia 573-882-1035 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Phil Mayers Sent: Tuesday, June 05, 2007 6:50 PM To: FreeRadius users mailing list Subject: Re: Ldap group troubles Dourty, Brian R. (IATS) wrote: I'm having some trouble with the ldap group configuration against AD and need a little help. Freeradius 1.1.4 Upgrade. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ldap group troubles
To clarify...we are running version 1.4.1. I'll try the latest release anyway. Brian Dourty System Administrator - Team Lead Division of IT (formerly IAT Services) University of Missouri - Columbia 573-882-1035 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Phil Mayers Sent: Tuesday, June 05, 2007 6:50 PM To: FreeRadius users mailing list Subject: Re: Ldap group troubles Dourty, Brian R. (IATS) wrote: I'm having some trouble with the ldap group configuration against AD and need a little help. Freeradius 1.1.4 Upgrade. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Ldap group troubles
for request 0 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'DC=edu' radius_xlat: '(|(sAMAccountName=dourtyb)(userPrincipalName=dourtyb))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to x.x.x.x:3268, authentication 0 rlm_ldap: starting TLS rlm_ldap: bind as ldapuser/password to x.x.x.x:3268 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=edu, with filter (|(sAMAccountName=dourtyb)(userPrincipalName=dourtyb)) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(member=CN\3dDourty\5c\5c\2c Brian R. \28IATS\29\2cCN\3dUsers\2cDC\3dcol\2cDC\3dmissouri\2cDC\3dedu)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=CSG Group,OU=CSG,OU=ACE,OU=IATS,OU=MU,DC=col,DC=missouri,DC=edu, with filter (member=CN\3dDourty\5c\5c\2c Brian R. \28IATS\29\2cCN\3dUsers\2cDC\3dcol\2cDC\3dmissouri\2cDC\3dedu) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group CN=CSG Group,OU=CSG,OU=ACE,OU=IATS,OU=MU,DC=col,DC=missouri,DC=edu not found or user is not a member. modcall[authorize]: module files returns notfound for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for dourtyb radius_xlat: '(|(sAMAccountName=dourtyb)(userPrincipalName=dourtyb))' radius_xlat: 'DC=edu' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=edu, with filter (|(sAMAccountName=dourtyb)(userPrincipalName=dourtyb)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Setting Auth-Type = ldap rlm_ldap: user dourtyb authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type ldap auth: type LDAP Processing the authenticate section of radiusd.conf modcall: entering group LDAP for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by dourtyb with password password rlm_ldap: user DN: CN=Dourty\, Brian R. (IATS),CN=Users,DC=col,DC=missouri,DC=edu rlm_ldap: (re)connect to x.x.x.x:3268, authentication 1 rlm_ldap: starting TLS rlm_ldap: bind as CN=Dourty\, Brian R. (IATS),CN=Users,DC=col,DC=missouri,DC=edu/password to x.x.x.x:3268 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: user dourtyb authenticated succesfully modcall[authenticate]: module ldap returns ok for request 0 modcall: leaving group LDAP (returns ok) for request 0 Login OK: [dourtyb] (from client radius-vm-tc1 port 12) Sending Access-Accept of id 80 to x.x.x.x port 33108 Finished request 0 Going to the next request Brian Dourty System Administrator - Team Lead Division of IT (formerly IAT Services) University of Missouri - Columbia 573-882-1035 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Dourty, Brian R. (IATS) Sent: Wednesday, June 06, 2007 8:04 AM To: FreeRadius users mailing list Subject: RE: Ldap group troubles To clarify...we are running version 1.4.1. I'll try the latest release anyway. Brian Dourty System Administrator - Team Lead Division of IT (formerly IAT Services) University of Missouri - Columbia 573-882-1035 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Phil Mayers Sent: Tuesday, June 05, 2007 6:50 PM To: FreeRadius users mailing list Subject: Re: Ldap group troubles Dourty, Brian R. (IATS) wrote: I'm having some trouble with the ldap group configuration against AD and need a little help. Freeradius 1.1.4 Upgrade. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ldap group troubles
I'm having some trouble with the ldap group configuration against AD and
need a little help.
Freeradius 1.1.4
MS 2003 Active Directory
radiusd.conf
groupname_attribute = cn
groupmembership_filter = (member=%{Ldap-UserDn})
groupmembership_attribute = memberOf
users file
DEFAULT Ldap-Group == CN= CSG
Group,OU=CSG,OU=ACE,OU=IATS,OU=MU,DC=col,DC=missouri,DC=edu, Auth-Type
:= LDAP
Using ldapsearch as follows I get a match.
ldapsearch -x -W -bCN=Some GROUP,OU= (member= CN=Last\\\, First
\(Department\),CN=Users,DC=col,DC=missouri,DC=edu)
The userDN actually looks like CN=Last\, First
(Department),CN=Users,DC=col,DC=missouri,DC=edu but we have escape the
\ and the () for bash.
Freeradius isn't getting the same results. It looks like it has to do
with the fact that the UserDN has a \, and (...) in it. Has anyone else
ran into this before?
Thanks,
Brian Dourty
System Administrator - Team Lead
Division of IT (formerly IAT Services)
University of Missouri - Columbia
573-882-1035
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radiusd and oracle accounting
We have configured our radius servers to send accounting information to an Oracle database. It works our really well except when the oraclce database server isn't available (I.E. maintenance or cold backups). The radius process dies when it loses connectivity to the oracle server. Has anyone else noticed this problem? Any suggestions on how to make radiusd more robust and able to recover from this? Thanks, Brian Dourty System Administrator - Team Lead IAT Services University of Missouri - Columbia 573-882-1035 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista doing PEAP
The patch did improve things, but is still isn't perfect. If I configure my VISTA client to prompt me for my credentials the authentication works and I get connected. If I configure my VISTA client to use my windows login credentials (This is the default behavior) the Auth fails. For some reason the arguments to ntlm_auth aren't right. I've looked at the requests and don't see anything different as far as domain/username. It still functions fine under XP, even when XP uses windows credentials for the log in rather than prompting. Brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] rg] On Behalf Of Michael Griego Sent: Wednesday, November 29, 2006 9:30 PM To: FreeRadius users mailing list Subject: Re: Windows Vista doing PEAP Cool deal. I have also been able to confirm that adding the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option to the CTX makes Vista work. This is good news for us since we have a volume license deal and now have release copies beginning to be installed. :) --Mike On Nov 29, 2006, at 5:00 PM, Alan DeKok wrote: Michael Messner wrote: I think you have not seen the mail from [EMAIL PROTECTED] with subject: Re[4]: Windows Vista doing PEAP - WORKING!!! Hmm... I have noticed the occasional email show up in the list archives, but not in my inbox. Oh well. I've added the patch to 1.1.4 CVS head. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista doing PEAP
Got this patch to work with 1.1.3 without seg faulting... I've sent Alan
the debug output.
Can download it here:
http://bengal.missouri.edu/~dourtyb/freeradius/vista.patch
Index: src/modules/rlm_eap/rlm_eap.c
===
RCS file: /source/radiusd/src/modules/rlm_eap/rlm_eap.c,v
retrieving revision 1.26.2.1.2.1
diff -u -r1.26.2.1.2.1 rlm_eap.c
--- src/modules/rlm_eap/rlm_eap.c 6 Feb 2006 16:23:52 -
1.26.2.1.2.1
+++ src/modules/rlm_eap/rlm_eap.c 18 Oct 2006 21:15:45 -
@@ -338,6 +338,7 @@
* We are done, wrap the EAP-request in RADIUS to send
* with all other required radius attributes
*/
+ DEBUG2(VISTA[%s:%d]: here, __func__, __LINE__);
rcode = eap_compose(handler);
/*
@@ -515,6 +516,7 @@
* We are done, wrap the EAP-request in RADIUS to
send
* with all other required radius attributes
*/
+ DEBUG2(VISTA[%s:%d]: here, __func__, __LINE__);
rcode = eap_compose(handler);
/*
Index: src/modules/rlm_eap/eap.c
===
RCS file: /source/radiusd/src/modules/rlm_eap/eap.c,v
retrieving revision 1.52.4.1
diff -u -r1.52.4.1 eap.c
--- src/modules/rlm_eap/eap.c 6 Feb 2006 16:23:49 - 1.52.4.1
+++ src/modules/rlm_eap/eap.c 18 Oct 2006 21:15:45 -
@@ -1,4 +1,4 @@
-/*
+ /*
* eap.crfc2284 rfc2869 implementation
*
* Version: $Id: eap.c,v 1.52.4.1 2006/02/06 16:23:49 nbk Exp $
@@ -382,7 +382,10 @@
eap_packet_t*hdr;
uint16_t total_length = 0;
- if (reply == NULL) return EAP_INVALID;
+ if (reply == NULL) {
+ DEBUG2(VISTA[%s:%d]: eap_wireformat invalid, __func__,
__LINE__);
+ return EAP_INVALID;
+ }
total_length = EAP_HEADER_LEN;
if (reply-code 3) {
@@ -469,6 +472,8 @@
* mentioned restriction.
*/
reply-id = handler-eap_ds-response-id;
+ DEBUG2(VISTA[%s:%d]: reply-id %d, __func__, __LINE__,
reply-id);
+ DEBUG2(VISTA[%s:%d]: reply-code %d, __func__,
__LINE__,reply-code);
switch (reply-code) {
/*
@@ -506,16 +511,20 @@
* that the TTLS and PEAP modules can call it to do most
* of their dirty work.
*/
+ DEBUG2(VISTA[%s:%d]: eap-request-code %d, __func__,
__LINE__, eap_ds-request-code);
+ DEBUG2(VISTA[%s:%d]: eap-request-type.type %d, __func__,
__LINE__, eap_ds-request-type.type);
+ DEBUG2(VISTA[%s:%d]: handler-eap_type %d, __func__,
__LINE__, handler-eap_type);
+
if (((eap_ds-request-code == PW_EAP_REQUEST) ||
(eap_ds-request-code == PW_EAP_RESPONSE))
(eap_ds-request-type.type == 0)) {
rad_assert(handler-eap_type = PW_EAP_MD5);
rad_assert(handler-eap_type = PW_EAP_MAX_TYPES);
+ DEBUG2(VISTA[%s:%d]: Setting EAP type, __func__,
__LINE__);
eap_ds-request-type.type = handler-eap_type;
}
-
if (eap_wireformat(reply) == EAP_INVALID) {
return RLM_MODULE_INVALID;
}
@@ -598,6 +607,8 @@
break;
}
+ DEBUG2(VISTA[%s:%d]: rcode %d, __func__, __LINE__, rcode);
+
return rcode;
}
-Original Message-
From: freeradius-users-
[EMAIL PROTECTED] [mailto:freeradius-
[EMAIL PROTECTED] On Behalf Of
Phil Mayers
Sent: Friday, October 20, 2006 6:42 PM
To: FreeRadius users mailing list
Subject: Re: Windows Vista doing PEAP
Josh Howlett wrote:
Again, I have no idea why it's core dumping. It shouldn't be. I
don't have Vista, and I can't debug this issue myself. It's up to
you.
Sorry - I've come late to this thread. Do we have a general problem
with
Vista failing to authenticate against FR, or is this just one
instance
failing, and we know of other instances where it is working?
It's a general problem.
Sadly the netsh ras set tracing * enable thing seems not to be
present
or work under the vista RCs we've looked at and there was little of
value in the event logs so the cause is somewhat hard to pin down.
It's
definitely PEAP (as opposed to EAP-TLS) related.
Knowing MS they've made a TLV that was previously optional, mandatory,
or similar. Given the problems seems to be windows-centred, someone
with
more windows experience may need to get info from the client as to why
*it* thinks things are going awry
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista doing PEAP
Yeah, I'll do it today. Brian -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of King, Michael Sent: Thursday, October 19, 2006 4:24 PM To: FreeRadius users mailing list Subject: RE: Windows Vista doing PEAP Could you try the patch Alan has posted, run the server in debug mode, and post the logs? Please don't do this on a production server. For some reason, the patch is causing my server to segfault. (It doesn't matter what the OS is (WinXP, VISTA, they all cause it to seg fault with DEBUG printing) -Original Message- From: [EMAIL PROTECTED] [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Dourty, Brian R. (IATS) Sent: Thursday, October 19, 2006 4:44 PM To: FreeRadius users mailing list Subject: RE: Windows Vista doing PEAP We have also posted here about our difficulties with Windows Vista and our FR. It isn't working for us either. Brian -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of King, Michael Sent: Thursday, October 19, 2006 2:52 PM To: FreeRadius users mailing list Subject: RE: Windows Vista doing PEAP -Original Message- Sorry - I've come late to this thread. Do we have a general problem with Vista failing to authenticate against FR, or is this just one instance failing, and we know of other instances where it is working? It's most likely I'm the first to try it, and I've had. Difficulties :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Vista doing PEAP
We have also posted here about our difficulties with Windows Vista and our FR. It isn't working for us either. Brian -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of King, Michael Sent: Thursday, October 19, 2006 2:52 PM To: FreeRadius users mailing list Subject: RE: Windows Vista doing PEAP -Original Message- Sorry - I've come late to this thread. Do we have a general problem with Vista failing to authenticate against FR, or is this just one instance failing, and we know of other instances where it is working? It's most likely I'm the first to try it, and I've had. Difficulties :-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RHEL4 and Oracle Instant Client
Has anyone gotten the source RPM's from RHEL4 to build with the oracle module using the Oracle instant client? It keeps giving me the following error no matter what I try: checking for oci.h... yes checking for oracle_init in -loracleclient... no configure: warning: oracle libraries not found. Use --with-oracle-lib-dir=path. configure: warning: sql submodule 'oracle' disabled Thanks, Brian Dourty System Administrator - Team Lead IAT Services University of Missouri - Columbia 573-882-1035 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD Group based ldap auth
I'm trying to get group based authentication working using LDAP against
AD. Right now I'm getting a failure related to the group search filter.
What filter should I be using?
groupmembership_filter =
(|((objectClass=group)(member=%{Ldap-UserDn}))((objectClass=top)(uniq
uemember=%{Ldap-UserDn})))
Looking at the howto here
http://lists.cistron.nl/pipermail/freeradius-users/2005-November/048536.
html got me part of the way. Anyone out there doing group based auth
against AD mind sharing their config?
Thanks,
Brian Dourty
System Administrator - Team Lead
IAT Services
University of Missouri - Columbia
573-882-1035
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MS Vista RC1 and Freeradius 802.1x
We are having some difficulties getting MS Vista RC1 build (5600) to work with our Freeradius server using 802.1x. Has anyone been able to get this to work? Brian Dourty System Administrator - Team Lead IAT Services University of Missouri - Columbia 573-882-1035 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS Vista RC1 and Freeradius 802.1x
I haven't spent a lot of time debugging the problem yet, but out of the box Vista doesn't work with our 802.1x/PEAP/MSChapV2 config we have been using successfully on WinXP. Brian Dourty -Original Message- From: freeradius-users- [EMAIL PROTECTED] [mailto:freeradius- [EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, September 21, 2006 9:54 AM To: FreeRadius users mailing list Subject: Re: MS Vista RC1 and Freeradius 802.1x Dourty, Brian R. \(IATS\) [EMAIL PROTECTED] wrote: We are having some difficulties getting MS Vista RC1 build (5600) to work with our Freeradius server using 802.1x. Has anyone been able to get this to work? Not that I've heard. What problems are you having? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
Ok, but isn't the with_ntdomain_hack =3D yes directive in the
raidusd.conf file suppose to correct this behavior?
Theoretically, yes. But when you're calling ntlm_auth, the
with_ntdomain_hack isn't being used. Why would it? You're
passing the exact attributes you want to ntlm_auth. If you
don't like the attributes, change them. Why would we need
another configuration option to do the same thing?
So now my args for ntlm_auth are right, but I think something is up
with mschap still.
If the arguments to ntlm_auth are right, then it should work.
To clarify things here, the --domain and --username arguments are right,
but the --challenge argument is incorrect.
I'm looking at the code in rlm_mschap.c. I believe this is the code that
creates the value for the --challenge argument for ntlm_auth. It is my
understanding that this is a hash created with this code:
challenge_hash(response-strvalue + 2,
chap_challenge-strvalue,
user_name-strvalue, buffer);
The username being used in this function still contains the DOMAIN! This
is what is keeping the auth from working. I've added debug statements to
my code. Its using the domain/user. This won't work.
When the Challenge or Response message is generated is it
still trying
to user domain/user as the username?
Ask the client, not FreeRADIUS.
I can't change the client. I can change freeradius. The client presents
freeradius with a domain/username. We all know that is the case.
And when you're using ntlm_auth, *you* configure it to use
domain\user, or just user. So to answer your question on
FreeRADIUS's side, go back and read your configuration.
I'm confused on this point. When PEAP identity is set to
username my
auths work. When the PEAP identity is of the form
domain/user MSCHAP
fails.
Yes. This is the problem. But it has nothing to do with PEAP.
You are right, it has nothing to do with PEAP. Freeradius gets what the
client gives it. The problem occurs in the mschap module.
There's no point trying to configure FreeRADIUS to do the right
thing, when you don't even know what the right thing is.
Find that out first, and THEN configure the server.
I know what the right thing is. In order for the ntlm_auth to return OK
all of its arguments have to be right. When a client is setup to send
domain/user instead of just user things breakdown in the MSCHAP module.
The NTLM_AUTH function takes 4 arguments from freeradius. They are as
follows:
--domain %{Realm}
--username %{Stripped-User-Name}
--challenge %{mschap:Challenge:-00}
--nt-response %{mschap:NT-Response:-00}
The challenge and nt-response are both hashes based in part on the
username. The username that freeradius uses when it generates these
hashes is the full username, not the stripped username. This is what is
causing my problem.
Now, the question is how to go about fixing the problem.
Brian D.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
I patched the rlm_mschap.c file (attached). I pulled code from rlm_preprocess.c that handles the with_ntdomain_hack and modified it to work. The user_name argument being passed to challenge_hash() function now honors the with_ntdomain_hack but my problem still exists. :-( Back to the drawing board. Brian D. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, May 03, 2004 1:07 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote: To clarify things here, the --domain and --username arguments are right, but the --challenge argument is incorrect. Ah, OK. The username being used in this function still contains the DOMAIN! This is what is keeping the auth from working. I've added debug statements to my code. Its using the domain/user. This won't work. Then the with_ntdomain_hack should be set... I can't change the client. I can change freeradius. The client presents freeradius with a domain/username. We all know that is the case. Yes, that's a problem. The client is *lying* to FreeRADIUS. The challenge and nt-response are both hashes based in part on the username. The username that freeradius uses when it generates these hashes is the full username, not the stripped username. This is what is causing my problem. Now, the question is how to go about fixing the problem. Theoretically, using with_ntdomain_hack should help. Hmm... the code you pointed out does appear to ignore with_ntdomain_hack. I'll fix that. See tomorrow's CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html with_ntdomain_hack.patch Description: with_ntdomain_hack.patch
RE: Freeradius on redhat ES 3.0
Our radius servers are both RHEL 3.0 AS machines. We recompiled freeradius from redhat supplied source RPMS to get oracle support. We use them to handle dialup modem pools and VPN client. We haven't had any problem with the production systems. What are you trying to use your radius server for? Brian D. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Milver S. Nisay Sent: Monday, May 03, 2004 1:35 PM To: [EMAIL PROTECTED] Subject: Re: Freeradius on redhat ES 3.0 I would appreciate some feedback on this list. Has anybody have any luck have freeradius 0.9.3 working on redhat ES 3.0. it seems the authentication type System no longer works. system authentication type requires accounts to be authenticated against system password and shadow files. it seems that the user you are trying to authenticate is not existing with passwd and shadow files //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Hello all, We are in the process of testing 802.1x authentication for future deployment on campus. Our test setup includes the following: freeradius-snapshot-20040427 running on RHEL 3.0 AS Configured for PEAP with MSCHAPv2 using SAMBA's winbind/ntlm_auth Multiple AD domains (smb.conf points to a Global Catalog Server) Linux/Windows XP/Windows 2K/Mac OS X clients What works: 1. using wbinfo -a domain+user%password I can authenticate as any user in any of our domains. 2. 802.1x auths as long as I don't supply a domain and the user is in the domain that the GC is in. What doesn't work: 1. Supplying domain with login credentials. I've got a realm for each of our domains setup up and I can see the preprocess module doing its job separating domain from username. Then the MSCHAPv2 module kicks in and the call to NTLM_AUTH fails with wrong password. 1. Keeping in mind that user1 in domain1 can auth as long as domain1 isn't supplied why does supplying domain1 cause the auth to fail? 2. What does preprocess do with realm is strips off? I'd like to be able to pass the realm as a --domain option to ntlm_auth. 3. Why does PEAP think the username is still domain/user? I see the following in the logs while running radius -X -A PEAP: Setting User-Name to UMC-USERS\dourtyb PEAP: Adding old state with 17 b0 PEAP: Sending tunneled request Should it be using Stripped-User-Name instead? Thanks, Brian Dourty IAT Services University of Missouri - Columbia - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + PEAP + MSCHAPV2 + NTLM_AUTH Question....
Dourty, Brian R. (IATS) [EMAIL PROTECTED] wrote:
1. Keeping in mind that user1 in domain1 can auth as long
as domain1
isn't supplied why does supplying domain1 cause the auth to fail?
Because the MS client does the MS-CHAP calculations using
the username without the domain, but supplies the username to
the RADIUS server WITH the domain.
See the list archives for more explanations.
Ok, but isn't the with_ntdomain_hack = yes directive in the
raidusd.conf file suppose to correct this behavior?
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
2. What does preprocess do with realm is strips off? I'd like to be
able to pass the realm as a --domain option to ntlm_auth.
Read the debug log. It adds it as an attribute.
Ah yes, I see that now. New attribute is called Realm so the line in
radiusd.conf is now:
ntlm_auth = /usr/bin/ntlm_auth --domain=%{Realm} --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
So now my args for ntlm_auth are right, but I think something is up with
mschap still. When the Challenge or Response message is generated is it
still trying to user domain/user as the username?
3. Why does PEAP think the username is still domain/user? I see the
following in the logs while running radius -X -A
PEAP: Setting User-Name to UMC-USERS\dourtyb
Because that's the name in the EAP identity packet. Read
the debug log, it says this.
Should it be using Stripped-User-Name instead?
No.
I'm confused on this point. When PEAP identity is set to username my
auths work. When the PEAP identity is of the form domain/user MSCHAP
fails.
Am I wrong in thinking that with the correct configuration Freeradius
will allow me to have users from all trusted domains use the MSCHAP
module for 802.1x auth? Where am I going wrong?
Thanks!
Brian Dourty
IAT Services
University of Columbia - Missouri
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
