Re: What is this "group authentication"?
Gary Algier wrote: Alan DeKok wrote: Gary Algier <[EMAIL PROTECTED]> wrote: I am trying to use the WinXP supplied supplicant and I am getting: modcall: group authenticate returns invalid for request 41 Can someone give me a hint as to what this means? Problem solved. Here was what I finally googled on: rlm_eap_peap: Received EAP-TLV response. I could not find any mention of "eap-tlv" in any config files or doc files, but in the mailing list someone else had this problem and the answer to them was to configure "mschap". I had it configured, but apparently not correctly. I set it thus (thanks to [EMAIL PROTECTED] for the example): mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes } and it worked. Perhaps it was the "with_ntdomain_hack". I had NOT set it because somewhere else it said: # This configuration entry SHOULD NOT be used. and I misinterpreted it as a global statement. Also thanks to [EMAIL PROTECTED] for the note about needing the KB885453 Hotfix. Thanks to everyone for their patience. -- Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033 Nielsen's First Law of Computer Manuals: People don't read documentation voluntarily. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is this "group authentication"?
Alan DeKok wrote: Gary Algier <[EMAIL PROTECTED]> wrote: I am trying to use the WinXP supplied supplicant and I am getting: modcall: group authenticate returns invalid for request 41 Can someone give me a hint as to what this means? Read the *rest* of the debug log above that to see what's going on. I did and it I did not understand it (see below for the log). I thought that perhaps there was some sort of groups I needed to setup. When I use the WinXP bulitin supplicant in "Automatically use my Windows login..." mode, Freeradius fails with the group authentication message. It's not "group authentication", it's the "authentication" section of "radiusd.conf". If I uncheck that and type a login and password (but not a domain), it works fine. It never does any sort of group check. If I supply a domain, it does the group check (and fails). When does it check groups? What is it checking? Read the *rest* of the debug log. Here's the logs (when is fails with a domain supplied): --- Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/ulcmit/raddb/clients.conf Config: including file: /etc/ulcmit/raddb/snmp.conf Config: including file: /etc/ulcmit/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "clear" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded Pam pam: pam_auth = "radiusd" Module: Instantiated pam (pam) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "mschapv2" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/ulcmit/raddb/certs/pyrope.ulticom.com.key" tls: certificate_file = "/etc/ulcmit/raddb/certs/pyrope.ulticom.com.crt" tls: CA_file = "/etc/ulcmit/raddb/certs/ca.pem" tls: private_key_password = "(null)" tls: dh_file = "/etc/ulcmit/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded
What is this "group authentication"?
Hi: I am trying to use the WinXP supplied supplicant and I am getting: modcall: group authenticate returns invalid for request 41 Can someone give me a hint as to what this means? When I use the WinXP bulitin supplicant in "Automatically use my Windows login..." mode, Freeradius fails with the group authentication message. If I uncheck that and type a login and password (but not a domain), it works fine. It never does any sort of group check. If I supply a domain, it does the group check (and fails). When does it check groups? What is it checking? I am using Freeradius 1.0.5, Sun's DS (with Samba attributes loaded), and WinXP SP2. BTW: I am stripping the hostname when doing the user lookups in LDAP using this: filter = "(&(objectclass=person)(uid=%{exec:/etc/ulcmit/raddb/nodomain %{User-Name}}))" where "nodomain" strips the domain portion. My LDAP lookups work fine. -- Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033 Nielsen's First Law of Computer Manuals: People don't read documentation voluntarily. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP scope
Stefan Adams wrote: Hi! Is it possible to specify a basedn of "dc=example,dc=com" with a scope of "sub" so that my search filters can apply to both "ou=People" and "ou=Computers" for example? It seems from my testing that the scope is "one" by default. From my experience it is a scope of "sub" by default. My people are in the data store like: dn: uid=gaa,ou=people,dc=ulticom,dc=com and my ldap section of radius.conf is: ldap { server = "ldap.ulticom.com" basedn = "dc=ulticom,dc=com" filter = "(&(objectclass=person)(uid=%{Stripped-User-Name:-%{User-Name}}))" do_xlat = yes base_filter = "(objectclass=*)" start_tls = no access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } The reason I would like to do this is to have the check box in Windows XP that says "Authenticate as computer..." checked. Doing this, FreeRADIUS is first presented with the credentials of the computer (host/name). Since I already have a computer account in ou=Computers, I figure I'd just add a cn=host/name attribute and modify the filter to be (|(uid=%{User-Name})(cn=%{User-Name})). But this can only work with a basedn of "dc=example,dc=com" and a scope of sub. The thing to watch out for is the actual LDAP lookup may not be what you think. Without special regex matches or other tricks it will only lookup your hostname. For instance with a user of "gaa" on host "malachite", the supplied user value is "MALACHITE\GAA". This then results in an LDAP lookup of (from radiusd -X): - rlm_ldap: performing user authorization for MALACHITE\gaa radius_xlat: '(&(objectclass=person)(uid=MALACHITE))' radius_xlat: 'dc=ulticom,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=MALACHITE)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 - I tried to handle it with this: hints file: ... DEFAULT NAS-IP-Address == 172.25.16.9, User-Name =~ "^(.*)(.*)" Hint = "8021XUSER", Stripped-User-Name = `${2}` ... users file: ... DEFAULT Hint == "8021XUSER" Fall-Through = 1 ... This strips the hostname off, mostly. I see it do several "uid=gaa" lookups, then one "uid=MALACHITE" and then it fails. If you get it to work, let me know. All I want to do is lookup the user. If you want to use the hostname, how will you match the password? What credentials are you expecting it to pass? I was under the assumption that when you select "Authenticate as computer..." it expects to use certificates (I may be wrong here). The format of the password when using the Windows domain style login is the Windows "encrypted" format (actually a hash, not encrypted, but you still can't recreate the clear text password). The the default configuration, this value is matched against the LDAP attribute "sambaNTPassword". This assumes that you are already using Samba for SMB/CIFS access. (I am). Thanks! Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033 Nielsen's First Law of Computer Manuals: People don't read documentation voluntarily. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x, WinXP and LDAP
group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_ldap: - authorize rlm_ldap: performing user authorization for MALACHITE\gaa radius_xlat: '(&(objectclass=person)(uid=MALACHITE))' radius_xlat: 'dc=ulticom,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=MALACHITE)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns notfound for request 5 modcall: group authorize returns notfound for request 5 -- So, why don't my regular expressions apply during the group authorize? How can I fix the group authorize? Perhaps I don't need it. Some day I may use it for controlling VLAN assignment, but for now I would be happy to just differentiate between "auth" and "not auth". -- Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033 Nielsen's First Law of Computer Manuals: People don't read documentation voluntarily. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html