Re: What is this "group authentication"?
Gary Algier wrote:
Alan DeKok wrote:
Gary Algier <[EMAIL PROTECTED]> wrote:
I am trying to use the WinXP supplied supplicant and I am getting:
modcall: group authenticate returns invalid for request 41
Can someone give me a hint as to what this means?
Problem solved. Here was what I finally googled on:
rlm_eap_peap: Received EAP-TLV response.
I could not find any mention of "eap-tlv" in any config files
or doc files, but in the mailing list someone else had this problem
and the answer to them was to configure "mschap". I had it configured,
but apparently not correctly. I set it thus (thanks to
[EMAIL PROTECTED] for the example):
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
}
and it worked. Perhaps it was the "with_ntdomain_hack". I had NOT
set it because somewhere else it said:
# This configuration entry SHOULD NOT be used.
and I misinterpreted it as a global statement.
Also thanks to [EMAIL PROTECTED] for the note about needing the
KB885453 Hotfix.
Thanks to everyone for their patience.
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is this "group authentication"?
Alan DeKok wrote: Gary Algier <[EMAIL PROTECTED]> wrote: I am trying to use the WinXP supplied supplicant and I am getting: modcall: group authenticate returns invalid for request 41 Can someone give me a hint as to what this means? Read the *rest* of the debug log above that to see what's going on. I did and it I did not understand it (see below for the log). I thought that perhaps there was some sort of groups I needed to setup. When I use the WinXP bulitin supplicant in "Automatically use my Windows login..." mode, Freeradius fails with the group authentication message. It's not "group authentication", it's the "authentication" section of "radiusd.conf". If I uncheck that and type a login and password (but not a domain), it works fine. It never does any sort of group check. If I supply a domain, it does the group check (and fails). When does it check groups? What is it checking? Read the *rest* of the debug log. Here's the logs (when is fails with a domain supplied): --- Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/ulcmit/raddb/clients.conf Config: including file: /etc/ulcmit/raddb/snmp.conf Config: including file: /etc/ulcmit/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "clear" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded Pam pam: pam_auth = "radiusd" Module: Instantiated pam (pam) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "mschapv2" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/ulcmit/raddb/certs/pyrope.ulticom.com.key" tls: certificate_file = "/etc/ulcmit/raddb/certs/pyrope.ulticom.com.crt" tls: CA_file = "/etc/ulcmit/raddb/certs/ca.pem" tls: private_key_password = "(null)" tls: dh_file = "/etc/ulcmit/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded
What is this "group authentication"?
Hi:
I am trying to use the WinXP supplied supplicant and I am getting:
modcall: group authenticate returns invalid for request 41
Can someone give me a hint as to what this means?
When I use the WinXP bulitin supplicant in "Automatically use my
Windows login..." mode, Freeradius fails with the group
authentication message. If I uncheck that and type a login
and password (but not a domain), it works fine. It never does
any sort of group check. If I supply a domain, it does the group
check (and fails). When does it check groups? What is it
checking?
I am using Freeradius 1.0.5, Sun's DS (with Samba attributes loaded),
and WinXP SP2.
BTW: I am stripping the hostname when doing the user lookups in LDAP
using this:
filter = "(&(objectclass=person)(uid=%{exec:/etc/ulcmit/raddb/nodomain
%{User-Name}}))"
where "nodomain" strips the domain portion. My LDAP lookups work fine.
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP scope
Stefan Adams wrote:
Hi!
Is it possible to specify a basedn of "dc=example,dc=com" with a scope
of "sub" so that my search filters can apply to both "ou=People" and
"ou=Computers" for example? It seems from my testing that the scope
is "one" by default.
From my experience it is a scope of "sub" by default. My people are
in the data store like:
dn: uid=gaa,ou=people,dc=ulticom,dc=com
and my ldap section of radius.conf is:
ldap {
server = "ldap.ulticom.com"
basedn = "dc=ulticom,dc=com"
filter =
"(&(objectclass=person)(uid=%{Stripped-User-Name:-%{User-Name}}))"
do_xlat = yes
base_filter = "(objectclass=*)"
start_tls = no
access_attr = "uid"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
The reason I would like to do this is to have the check box in Windows
XP that says "Authenticate as computer..." checked. Doing this,
FreeRADIUS is first presented with the credentials of the computer
(host/name). Since I already have a computer account in ou=Computers,
I figure I'd just add a cn=host/name attribute and modify the filter
to be (|(uid=%{User-Name})(cn=%{User-Name})). But this can only work
with a basedn of "dc=example,dc=com" and a scope of sub.
The thing to watch out for is the actual LDAP lookup may not be
what you think. Without special regex matches or other tricks it
will only lookup your hostname. For instance with a user of "gaa"
on host "malachite", the supplied user value is "MALACHITE\GAA".
This then results in an LDAP lookup of (from radiusd -X):
-
rlm_ldap: performing user authorization for MALACHITE\gaa
radius_xlat: '(&(objectclass=person)(uid=MALACHITE))'
radius_xlat: 'dc=ulticom,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ulticom,dc=com, with filter
(&(objectclass=person)(uid=MALACHITE))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
-
I tried to handle it with this:
hints file:
...
DEFAULT NAS-IP-Address == 172.25.16.9, User-Name =~ "^(.*)(.*)"
Hint = "8021XUSER",
Stripped-User-Name = `${2}`
...
users file:
...
DEFAULT Hint == "8021XUSER"
Fall-Through = 1
...
This strips the hostname off, mostly. I see it do several "uid=gaa"
lookups, then one "uid=MALACHITE" and then it fails. If you get it
to work, let me know. All I want to do is lookup the user.
If you want to use the hostname, how will you match the password? What
credentials are you expecting it to pass? I was under the assumption
that when you select "Authenticate as computer..." it expects to
use certificates (I may be wrong here).
The format of the password when using the Windows domain style login
is the Windows "encrypted" format (actually a hash, not encrypted,
but you still can't recreate the clear text password). The the default
configuration, this value is matched against the LDAP attribute
"sambaNTPassword". This assumes that you are already using
Samba for SMB/CIFS access. (I am).
Thanks!
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x, WinXP and LDAP
group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for MALACHITE\gaa radius_xlat: '(&(objectclass=person)(uid=MALACHITE))' radius_xlat: 'dc=ulticom,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=MALACHITE)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 5 modcall: group authorize returns notfound for request 5 -- So, why don't my regular expressions apply during the group authorize? How can I fix the group authorize? Perhaps I don't need it. Some day I may use it for controlling VLAN assignment, but for now I would be happy to just differentiate between "auth" and "not auth". -- Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033 Nielsen's First Law of Computer Manuals: People don't read documentation voluntarily. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
