Re: Major noob question about freeradius
On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone bryan-bo...@msn.com wrote: I have a small network of about 10 windows XP machines. I need to set these machines up so that my users can log into any of these machines. For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. I was told that a Radius server could accomplish the same thing for me. Is this true? Bryan: I'm not the ultimate FreeRADIUS authority, but I think you'll find RADIUS is a poor solution for this, if indeed a solution at all. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. Check out http://samba.org/ for details on Samba. And for what it's worth I would lean toward using CentOS as the core platform (of course opinions vary on this point). The book Samba-3 by Example gives an excellent guide to the setup if you need one. It's available online at http://www.samba.org/samba/docs/man/Samba-Guide/ Good luck! E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
On Mon, Jan 18, 2010 at 11:29 AM, freerad...@corwyn.net wrote: At 02:01 PM 1/18/2010, Eric Swanson wrote: On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone mailto: bryan-bo...@msn.combryan-bo...@msn.com wrote: For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. If there's a corporate restriction on installing a windows server, setting up a linux server to behave just like a windows server might also be a problem. and indeed if it's one the same network, you'll really need to get things right so that it doesn't screw anything up (such as becoming the master browser). Indeed. Just for the sake of clarity let me break it down one more notch: - If the policy that prevents you from installing a Windows server is something like a company-wide prohibition on using closed-source software, or on spending licensing money with Microsoft, and if your network stands on its own -- then Samba is probably a great approach. Good luck. - If, as Rick suggests, the policy comes from something like a central IT department that requires you to stay out of their realm of authority, then you've got a whole mess of constraints to navigate. Good luck. Speaking for myself, I'd say the pGina approach noted above by Josip makes sense only if you've already got RADIUS infrastructure. If you're building something from scratch, Samba is a much better fit, but if pGina lets you use existing RADIUS-centric stuff you just might be well-advised to go that way. Just be sure first :-) Indeed. Also, note that this is off-topic for the list. E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP/SSHA plus MS-CHAP on 2.17
On Wed, Jan 13, 2010 at 10:48 PM, Alan DeKok al...@deployingradius.com wrote:
Eric Swanson wrote:
...
[ldap] Added User-Password = {SSHA}i9--censored--JI in check items
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword - NT-Password == 0x4338--censored--4531
rlm_ldap: sambaLmPassword - LM-Password == 0x4637--censored--4545
You have 3 versions of the known good password for the user. Which
one do you want to use?
Alan:
Thanks so much for getting back to me.
My intent is to use the SSHA password -- of the ones my LDAP system
must maintain, I assumed it would be the most straightforward (better
than those Windows ones anyway).
[pap] Using CRYPT encryption.
And the pap module isn't configured to use any of them.
The part that seems strange to me is that the system clearly
identifies the type of passwords we are using (Normalizing
SSHA1-Password from base64 encoding seems proof enough of that), but
a couple lines later PAP has decided to use CRYPT encryption for some
reason. I can't imagine what I've done to make the system believe it
should use CRYPT instead of SSHA.
Check the configuration of the PAP module.
Here's my modules/pap in its entirety:
pap {
auto_header = yes
}
I haven't found any information on other (non-deprecated) directives
that go in this file. If there's a way to tell PAP to use the SSHA
password, I would _love_ to hear it.
There's not much to the rest of my PAP-related configuration.
In sites-available/default under the authorization section, PAP is
listed last, just like this:
pap
In sites-available/default under the authentication section, PAP is
listed first like this:
Auth-Type PAP {
pap
}
I'm excited about your note's implication that there's a way to tell
PAP which password to use. If that's really true, I think all I need
is to be pointed to information about how to do so.
Thankx,
E.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP/SSHA plus MS-CHAP on 2.17
On Thu, Jan 14, 2010 at 12:18 AM, Eric Swanson swan...@technologypartnerds.com wrote: There's not much to the rest of my PAP-related configuration. ...and just for the record, I've just grepped through my whole /etc/raddb folder. The only other non-commented mentions of PAP are in eap.conf, sites-available/inner-tunnel, and modules/inner-eap -- none of which has been modified from the standard distributed file. Thanks again, E. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP/SSHA plus MS-CHAP on 2.17
On Thu, Jan 14, 2010 at 1:29 AM, Alan DeKok al...@deployingradius.com wrote: shrug *something* is either adding a crypt'd password, or is forcing the PAP module to use the crypt'd password. Maybe the unix module? Good guess! I disabled the unix module from authentication and authorization, and everything looks great. As it happens, the system has picked one of the NT passwords to check, but as long as it works I'm fine. Thanks so much for your timely assistance. E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP/SSHA plus MS-CHAP on 2.17
Y'all:
Maybe this question obvious for somebody, but I haven't been able to
find an answer so far. I'd appreciate any help on this.
I'm setting up freeradius 2.17 with OpenLDAP on CentOS 5.3 (using the
pre-built RPM repository from
http://people.redhat.com/jdennis/freeradius-rhel-centos). The system
need to authenticate at least two different ways by RADIUS (plus
several others by LDAP, but that's all working fine). Currently one
is working and the other is not. I've worked with freeradius/LDAP
setups before, but it's been a couple years since I last did it from
scratch.
One client needs to talk MS-CHAP, and that's working great. If it
matters I'm happy to post logs of these sessions happening, but I
presume that's irrelevant.
The other client needs to talk PAP, and it's not working right at all.
In keeping with the frequent advice of this group, I've kept the
config files as pristine as I can. Here are all the changes I've made
since I last reverted to the default files:
[/etc/raddb]# diff ./sites-available/default.DIST ./sites-available/default
170c170
# ldap
---
ldap
[/etc/raddb]# diff ./modules/ldap.DIST ./modules/ldap
33c33
server = ldap.your.domain
---
server = .org
36c36
basedn = o=My Org,c=UA
---
basedn = dc=my,dc=office,dc=org
116c116
# password_attribute = userPassword
---
password_attribute = userPassword
[/etc/raddb]# diff ./modules/pap.DIST ./modules/pap
17c17
auto_header = no
---
auto_header = yes
[/etc/raddb]# diff ./clients.conf.DIST ./clients.conf
101c101
secret = testing123
---
secret = SharedSecret
234a235,240
client 172.16.0.0/24 {
secret = SharedSecret
shortname = office-network
}
[/etc/raddb]#
In fiddling over the past few days I've achieved several different
failure modes, but here's what a session looks like now:
rad_recv: Access-Request packet from host 172.16.0.1 port 1078, id=36, length=82
User-Name = testuser
User-Password = user
Service-Type = Authenticate-Only
NAS-Identifier = VPNSRV
Message-Authenticator = 0x8e--censored--db
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = testuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
[ldap] performing user authorization for testuser
[ldap] expand: %{Stripped-User-Name} -
[ldap] expand: %{User-Name} - testuser
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=testuser)
[ldap] expand: dc=my,dc=office,dc=org - dc=my,dc=office,dc=org
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to muggins.my.office.org:389, authentication 0
rlm_ldap: bind as / to muggins.my.office.org:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=my,dc=office,dc=org, with filter
(uid=testuser)
[ldap] Added User-Password = {SSHA}i9--censored--JI in check items
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword - NT-Password == 0x4338--censored--4531
rlm_ldap: sambaLmPassword - LM-Password == 0x4637--censored--4545
[ldap] looking for reply items in directory...
[ldap] user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Normalizing SSHA1-Password from base64 encoding
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password user
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 36 to 172.16.0.1 port 1078
Waking up in 4.9 seconds.
The part that seems strange to me is that the system clearly
identifies the type of passwords we are using (Normalizing
SSHA1-Password from base64 encoding seems proof enough of that), but
a couple lines later PAP has decided to use CRYPT encryption for some
reason. I can't imagine what I've done to make the system believe it
should use CRYPT instead of SSHA.
I've been developing a range of crazy theories as to what might be
going on, but I think it's time for me to see what y'all have to say.
Thanks in advance for any guidance.
E.
-
List info/subscribe/unsubscribe? See
