RE: VLAN info disappears

[Leighton Man]

>How could it be, when it passes the same information in both cases (the
>only difference is the username/password)? Is it possible that the switch
>interprets the reply differently for dot1x and mab authentication?
>I know it's rather Cisco related issue than RADIUS, but maybe someone
>experienced it before.

The switch has a list of authentication methods to try for each type of login. 
For example my config for 802.1x says:

aaa authentication dot1x default group radius

You'll also need:
dot1x mac-auth-bypass
configured on the interface itself. There's some info here
http://www.symantec.com/connect/articles/snac-8021x-mac-authentication-bypass-mab-cisco-switch-and-ias

It's about IAS unfortunately, but it explains the cisco bits. Plenty more on 
the Cisco site as well.

Good luck,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Multiple LDAP searches

[Leighton Man]

>I am setting up freeradius 2.1.6 and seem to be stuck on how do I go about 
>setting up my ldap module to search multiple basedn if the user >is not found 
>in the first? I have four that I need to search in my LDAP tree but cannot 
>figure out the correct way to make it search more >than one. I feel like this 
>is probably something simple I'm missing but can't seem to see it atm.

Hi,
I have two instances defined in modules/ldap

ldap ldap_staff {

...

basedn = "ou=staff, ..."

..

}

ldap ldap_student {

...

basedn = "ou=student, ..."

..
}


Then, in authorise section,

ldap_staff
if (ok) {
whatever stuff you need
}
else {
  ldap_student
  if (ok) {
whatever other stuff you need
  }
  else {
   reject
  }
}
#

In my case the "stuff" returns cisco av pairs to control the switches. The 
usert is rejected if they don't exist in either the "staff" or the "student" ou.

Hope this helps,

Leighton



---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Setting VLAN from inner-tunnel

[Leighton Man]

>Thanks, but unless I'm missing somthing I don't understand how this
>can this work from the inner tunnel without "update outer.reply" ?

Sorry, it's almost a year since I got this going. I didn't really *understand* 
how it worked then (and I still don't, though I'm learning!) but the config I 
sent is a straight copy from my sites-available/inner-tunnel and I see the 
relevant reply items being sent.

Sorry I can't be more help.

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Setting VLAN from inner-tunnel

[Leighton Man]

>>Is there any way to make this work?

I have it working with:


update reply {
Tunnel-Type = "VLAN"
Tunnel-Medium-Type = "IEEE-802"
Tunnel-Private-Group-Id = 141
  }

Regards,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: unlang help please

[Leighton Man]

  Use:

if (request:Tunnel-Private-Group-Id == 13) {

  i.e. without the ":0"


Many thanks Alan

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

unlang help please

[Leighton Man]

Using /usr/local/bin/radclient -f radpkt .. where radpkt contains:

Packet-Type = Access-Request
User-Name = "t...@test.test.test"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "13"


I have unlang in authorise section of sites-enabled/default, after pap:

if (request:Tunnel-Private-Group-Id:0 == "13"){
#if (request:Airespace-Wlan-Id == 3){
   update control {
  Proxy-To-Realm := LOCAL
   }
}

In debug mode I see:

rad_recv: Access-Request packet from host 172.17.193.111 port 51171, id=33, 
length=87
User-Name = "t...@test.test.test"
Airespace-Wlan-Id = 4
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "13"
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand: /usr/local/var/log/radius/radacct/auth-detail-%Y%m%d -> 
/usr/local/var/log/radius/radacct/auth-detail-20100217
[auth_log] /usr/local/var/log/radius/radacct/auth-detail-%Y%m%d expands to 
/usr/local/var/log/radius/radacct/auth-detail-20100217
[auth_log]  expand: %t -> Wed Feb 17 12:23:28 2010
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "test.test.test" for User-Name = "t...@test.test.test"
[suffix] Found realm "DEFAULT"
[suffix] Adding Realm = "DEFAULT"
[suffix] Proxying request from user test to realm DEFAULT
[suffix] Preparing to proxy authentication request to realm "DEFAULT"
++[suffix] returns updated
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
++? if (request:Tunnel-Private-Group-Id:0 == "13")
? Evaluating (request:Tunnel-Private-Group-Id:0 == "13") -> FALSE
++? if (request:Tunnel-Private-Group-Id:0 == "13") -> FALSE
expand: %{client:shortname} -> testing
++[request] returns noop


Etc. etc.

Can someone please explain why the comparison 
(request:Tunnel-Private-Group-Id:0 == "13") fails? I've tried single quotes, 
double quotes and no quotes around the 13. If I change == to != in the unlang, 
the comparison returns TRUE . If I use (request:Airespace-Wlan-Id == 4 ) in the 
comparison, it all works as I would expect.

Thanks in advance,

Leighton






---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to ignore some NASs?

[Leighton Man]

Hi,

I need to configure freeradius to ignore requests from particular clients based 
on NAS-IP-Address. Is there a quick way to do this?


Nothing like a 1 hour meeting for thinking!
Added them to clients.conf with the wrong secret!

Thanks,



---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to ignore some NASs?

[Leighton Man]

Hi,

I need to configure freeradius to ignore requests from particular clients based 
on NAS-IP-Address. Is there a quick way to do this?

Thanks,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Cisco Aironet 1240AG, PEAP and Active directory

[Leighton Man]

I have tried verson 3.3.10 and 3.4.5.

Which stable version can you recommend ?


Version 3.0.35 is working for me. I went through the downgrade process quite a 
few months ago and settled on that version. It's been fine ever since.

Regards,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How not to proxy?

[Leighton Man]

>something like   Proxy-To-Realm := LOCAL
>
>This is documentented in a comment just before the "realm LOCAL"
>definition in the default proxy.conf.

Thanks for the guidance. If anyone is interested the construct below seems to 
work a treat.

Leighton


if((request:NAS-Port-Type == Virtual || request:NAS-Port-Type == Async)&& 
..more conditions to define the NAS...){
   update control {
  Proxy-To-Realm := LOCAL
   }
   if(ldap_staff-Ldap-Group == correctADgroup){
  update control {
 Auth-Type := "ntlm_auth"
  }
  update reply {
 cisco-avpair = shell:priv-lvl=15
  }
   }
}


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How not to proxy?

[Leighton Man]

Hi,

I am authenticating users on cisco switches (telnet or console access) amongst 
others.
In sites-enabled/default, after pap, I have:

if(!control:Auth-Type && (request:NAS-Port-Type == Virtual || 
request:NAS-Port-Type == Async) && ldap_staff-Ldap-Group == correctADgroup) {
 update control {
  Auth-Type = "ntlm_auth"
 }
 update reply {
cisco-avpair = shell:priv-lvl=15
 }
}

If I enter "u...@realm" rather than just "user" then the request is proxied to 
the servers for the default realm. What is the best way to prevent proxying for 
just these users whilst allowing it for all others?
A pointer to the relevant docs would be much appreciated.
Thanks in advance,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Active directory ldap groups

[Leighton Man]

>
> http://wiki.freeradius.org/Rlm_ldap#Group_Support
>

One hour to formulate the problem, One line to fix it!!

MANY thanks Ivan.

Regards,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Active directory ldap groups

[Leighton Man]

Hi,

In modules/ldap, I have:

ldap ldap_staff{

Queries the staff ou in AD

}

ldap ldap_student{

Queries the student ou in AD

}

In authorise section of inner tunnel virtual server I have:

ldap_staff
if (ok) {
update reply {
Tunnel-Type = "VLAN"
Tunnel-Medium-Type = "IEEE-802"
Tunnel-Private-Group-Id = 141
}
}
else {
  ldap_student
  if (ok) {
update reply {
Tunnel-Type = "VLAN"
Tunnel-Medium-Type = "IEEE-802"
Tunnel-Private-Group-Id = 142
}
  }
  else {
   reject
  }
}


All working OK and happily authorising any user who exists in Active Directory 
and instructs the NAS which vlan to put them into.

Now I'm trying to authorise/authenticate users in a particular AD group for 
console access to the NAS (cisco switch)

In default virtual server I have, after pap:

$INCLUDE local/default_policy

And in local/default_policy:

if(!control:Auth-Type && request:NAS-Port-Type == Async && Ldap-Group == 
ADGROUP) {
 update control {
  Auth-Type = "ntlm_auth"
 }
}

ADGROUP is replaced with whichever group has the appropriate users

If I don't have the Ldap-Group condition everything works except any valid 
username/password pair works.
When I add the condition, radiusd -x shows
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with 
filter (sAMAccountName=user)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed


First question - How do I tell rlm_ldap to query the staff ou without breaking 
the bit that is already working
Second question - Is there any reason I shouldn't use the "$INCLUDE 
local/default_policy" construct. The idea is to make the policies easy to find 
as they get more complex; there are several more groups of users to go yet.


Thanks in advance,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: ntlm_auth and Server 2008 R2 (or, how to select a group for a proxied request)

[Leighton Man]

 Hi,

I had problems when we upgraded to 2008 server. Ntlm_auth stopped working. It's 
a while back now so I don't remember the details but the solution was to 
reinstall samba. I'm pretty sure it was 3.4 that didn't work for us.
Google provided quite a bit of info.

On our running system, ntlm_auth --version reports "Version 3.0.35"

Sorry I can't remember more details,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Exec and ntlm_auth

[Leighton Man]

Hi all,

Thanks to everyone for their help. I seem to have generated quite a bit of 
discussion so I thought I'd summarise where I'm "up to" in case it helps.

I have a server successfully authenticating users using eap-mschapv2 or 
eap-ttls for eduroam and wired 802.1x. I'm now trying to expand the system to 
include authorisation/authentication for console and telnet access to cisco 
switches.

For telnet access, I now have:

A new file modules/ntlm_auth which contains,

exec ntlm_auth {
wait = yes
program = "/usr/sfw/bin/ntlm_auth --request-nt-key 
--username=%{User-Name} --password=%{User-Password}"
}

At the end of the users file,

DEFAULT NAS-Port-Type = Virtual, NAS-IP-Address = x.x.x.x, Auth-Type := 
ntlm_auth

And at the end of the sites-enabled/default and sites-enabled/inner-tunnel 
authenticate sections, immediately after eap

ntlm_auth

It works though interestingly (for me at least) if I comment out ntlm_auth from 
the inner-tunnel file, the server fails to start with an
"Unknown value ntlm_auth for attribute Auth-Type" error. I don't understand 
that as I don't want to use this authentication method with peap!

Obviously the users entry above only works for a single switch as the IP 
address is specified. Next step is to specify groups of switches.

Thanks again,

Leighton



---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Exec and ntlm_auth

[Leighton Man]

>
>   That change is just re-organization.  It doesn't affect the
> way the server runs.
>


>
>   What part of the instructions is not working for you?
>

The one that I failed to follow properly!!
Not sure which one it was though  :-)

Thanks for your help. On to the next problem

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Exec and ntlm_auth

[Leighton Man]

Hi
Help again please!
I've read the doc at 
http://deployingradius.com/documents/configuration/active_directory.html and 
I'm now confused again.
I'm running version 2.1.7 so module configurations are now in a separate 
directory rather than modules.conf.

I have an access request packet containing User-name and User-Password. Where 
do I configure the ntlm_auth command so I can authenticate against Active 
Directory (which, by the way, is giving me more pain than anything else I've 
dealt with for quite a while!!)

Thanks,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Groups of NASs by IP

[Leighton Man]

> I used to use huntgroups to do this, however recently
> discovered in the mailing list archives that the clients.conf
> file can be used to better effect with grouping:
> 
> client 2.3.4.0/24 {
> shortname   = switch
> secret  = blar
> }
> client 3.4.5.0/24 {
>   shortname   = switch
>   secret  = hoot
>
>   vendor  = allied-telesis
> }
> client 1.2.3.0/28 {
> shortname   = console
> secret  = honk
> }
> 
>
> Then in your virtual server you can use something like:
> 
> authorize {
>
> 
>
>   update request {
>   # NAS-Vendor is a local custom dict addition
>   NAS-Vendor  := "%{client:vendor}"
>   NAS-Identifier  := "%{client:shortname}"
>   }
>
> 
>
>   files
>
> 
>
> }
> 
>
> Your 'users' file then has:
> 
> DEFAULT NAS-Identifier == switch, NAS-Vendor ==
> allied-telesis, LDAP-Group == netref
> Service-Type = Administrative-User DEFAULT
> NAS-Identifier == switch, LDAP-Group == netref
> Service-Type = NAS-Prompt-User, Cisco-AVPair =
> "shell:priv-lvl=15"
> DEFAULT NAS-Identifier == switch, Auth-Type := Reject
> 
>
> You can actually add *anything* to the client subsections
> ('shortname'
> and 'secret' are the only FreeRADIUS variables in there, the 'vendor'
> bit is not known to FreeRADIUS) and FreeRADIUS will simply
> ignore it but it is accessible via '%{client:NAME}'.
>
> The advantage with this approach is that you are doing the
> NAS grouping in the clients.conf file rather than potentially
> duplicating it in the 'hints' and/or huntgroups file.
>
> Cheers
>

Many many thanks for this. Strangely enough, I already have the major groups in 
clients.conf for other reasons and the ultimate goal is to control logins on 
our cisco infrastructure and thus retire ACS. You've given me a lot of help.
Thanks,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Groups of NASs by IP

[Leighton Man]

Hi,

I would like to group NASs by ip address but as I have a few hundred, I don't 
want to maintain a list.

Can I configure ip address ranges in huntgroups eg. Group1 NAS-IP-Address == 
192.168.1.101 - 105
If not, can I use regular expressions?

How else can I do this? What is the best way?

Thanks in advance,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Ldap search and AD operations error

[Leighton Man]

> Subject: RE: Ldap search and AD operations error
>
> Leighton,
>
> Try using ldapsearch in verbose mode (and debug mode) to get
> more info from AD.
>
> ldapsearch -v -h  -D "cn= dc=ad,
> dc=hud, dc=ac, dc=uk"  -w  -x -b "dc=ad, dc=hud,
> dc=ac, dc=uk"
> "(sAMAccountName=mytestusername)"
>
> >From a Windows machine, you can also use tools from joeware.com, try
> >adfind
> (http://www.joeware.net/freetools/tools/adfind/index.htm).
>
> Once you are able to successfully query AD from a Windows
> machine and/or ldapsearch, update your FR configuration and try again.
>
> Tim
>

Many thanks for the reply Tim and apologies for the long delay before trying 
this.

Ldapsearch from the command line as you suggest above works fine yet the debug 
from FR shows this:

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=ad, dc=hud, dc=ac, dc=uk, with filter 
(sAMAccountName=mytestusername)
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0

The basedn and filter are identical on the command line and in the config. If I 
specify an AD container in the config, the search succeeds (providing it's the 
right container, of course )

Any more ideas - I'm really stuck on this one!

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ldap search and AD operations error

[Leighton Man]

Hi All,

Following everyone's help our eduroam system is up and running by the target 
date - Many thanks, particularly to Alan and Ivan.

I'm now trying to configure it *properly*

I have, in the ldap module configuration:

 chase_referrals = yes
rebind = yes

I'm running version 2.1.6 on Solaris doing lookups against Active Directory.

I get, in the debug:

rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=ad, dc=hud, dc=ac, dc=uk, with filter 
(sAMAccountName=mytestusername)
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap::ldap_groupcmp: search failed

Has anyone got latest information on what causes this or how to fix it. I have 
a workaround but it's not ideal.
I assume trying to get more helpful information out of Microsoft AD is pretty 
futile but has anyone any clues as to what "operations error" realy means? The 
workaround is to specify a container in the search but as the number of 
possible containers for a search increases things rapidly begin to get out of 
hand .

Regards,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Rlm_ldap not found

[Leighton Man]

>   Hi,
>   I found the solution (anyway it worked with mine):
>   -try to find what version of openldap is in your system(the default 
> one) by using the basic command.
>   -try to find what packages provides the "unfounded" shared file. On 
> cenTos u can do it with yum whatprovides blablafile.
>   -if the result is already installed u have to reinstall it, on CentOS u 
> can do that with yum reinstall blablafile.
>   It worked for me ...
>   Thx to the team!
>   Best regards
>

Thanks, glad it worked for you.

Didn't for me unfortunately. I've built another virtual Solaris box and it's 
all working now. I'll have another look at the linux box if I ever get time.

Thanks to all who helped.

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Build failure on arch Linux

[Leighton Man]

> what system are you building on - I've noted several 'creaky'
> distros of late which have older versions of the tools/libraries
>
Arch Linux - 2.6.30 kernel and libtool 2.2.6a-3 which seems to be part of the 
problem. All compiled now so hopefully will find time to test tomorrow. After 
that back to the original rlm_ldap problem.

Cheers,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Build failure on arch Linux

[Leighton Man]

>   The macro name has, of course, no meaning, and doesn't
> demonstrate any opinion about libtool.
>
Nevertheless it worked like a dream :-)

Many thanks Alan,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Build failure on arch Linux

[Leighton Man]

Hi,

Foolishly, I said earlier today, that building on Linux should be a breeze. I 
should have kept quiet!!

I downloaded 2.1.7 and it failed to build rlm_krb5 with messages about 
structure members. I reran configure with --without-rlm-krb5 and got:
In function 'setup_modules':
 undefined ref to lt__PROGRAM__LTX_preloaded_symbols in src/main/modules.c.

I notice in the bug fixes for 2.1.7 there's a workaround added. Seems it 
doesn't work for me.

Any suggestions please.

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Rlm_ldap not found

[Leighton Man]

> do you have multiple copied of freeradius installed? did you
> install it from source at some pint - or from another package?
>

No and No

> i'm not the package maintainer so cant say how your chosen
> package was compiled... i build from source
>

Think I should too. I compiled it on solaris so linux should be a breeze! I was 
hoping for a shortcut :-(

Thanks again,

Leighton



---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Rlm_ldap not found

[Leighton Man]

Many thanks for the quick response

> install freeradius-ldap package too.

Tried that first - package not found - so I went looking for rlm_ldap and it's 
there in usr/lib/freeradius along with the other modules

Am I missing something obvious??

Thanks again,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Rlm_ldap not found

[Leighton Man]

Hi all,
Hope this is an easy one:
Freeradius 2.1.6 on arch linux installed from a package. All is well until I 
uncomment ldap in the authorise section of sites-enabled/inner-tunnel then I 
get:
/etc/raddb/modules/ldap[29]: Failed to link to module 'rlm_ldap': file not found
followed by Failed to find module "ldap" ..
rlm_ldap.so is a symlink to rlm_ldap-2.1.6.so which has the same permissions 
and is in the same directory as the other modules which load OK (they are also 
symlinks in the same directory).
I've checked for typos until I'm beginning to see them even when they are not 
there!

Radiusd -X shows no errors or warnings and after the ***Loading Virtual 
Servers message continues linking and instantiating modules up to and 
including "files" then the error above.
Not easy to post the whole output as I haven't got ftp running yet.

Where should I look next?

Regards,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: bootstrap problem

[Leighton Man]

Hi,
I had this problem a while back on solaris 10. -e in the if statement doesn't 
work. -c worked for me.
Hope this helps,
Leighton

> -Original Message-
> From:
> freeradius-users-bounces+l.j.man=hud.ac...@lists.freeradius.or
> g
> [mailto:freeradius-users-bounces+l.j.man=hud.ac...@lists.freer
adius.org] On Behalf Of shivashankar
> Sent: 31 July 2009 08:36
> To: freeradius-users@lists.freeradius.org
> Subject: bootstrap problem
>
>
> hi,
>
> i am using Freeradius2.1.6
>
>
> bash-3.00# /usr/local/etc/raddb/certs/bootstrap
> sh: test: argument expected
> *** Error code 1
> The following command caused the error:
> if [ -e /dev/urandom ] ; then \
> dd if=/dev/urandom of=./random count=10 >/dev/null
> 2>&1; \ else \
> date > ./random; \
> fi
> make: Fatal error: Command failed for target `random'
> Generating DH parameters, 1024 bit long safe prime, generator
> 2 This is going to take a long time
> 
> 
> +...
> 
> ..+.
> +.+.
> .+.+.+..
> --
> View this message in context:
> http://www.nabble.com/bootstrap-problem-tp24752354p24752354.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

http://www.hud.ac.uk/images/emails/neutral_navy_blue_003976.gif"; 
alt="Inspiring tomorrow's professionals">
---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: make install without messing with previous configuration?

[Leighton Man]

Hi,
I tar the entire raddb directory (from the level above), reinstall, and untar 
the original config over the top of the new one. That way I can keep multiple 
configs whilst experimenting and switch between them.
Regards,
Leighton

> -Original Message-
> From:
> freeradius-users-bounces+l.j.man=hud.ac...@lists.freeradius.or
> g
> [mailto:freeradius-users-bounces+l.j.man=hud.ac...@lists.freer
adius.org] On Behalf Of Nicolas Goutte
> Sent: 15 July 2009 09:03
> To: FreeRadius users mailing list
> Subject: Re: make install without messing with previous configuration?
>
>
> Am 15.07.2009 um 09:53 schrieb Stefan Winter:
>
> > Hi,
> >
> >> I do not know how to do it at compile time but you can do it at
> >> runtime by specifing -d your_directory to radiusd.
> >>
> >> So perhaps a make install will install many configuration
> files but
> >> not where *your* configuration is.
> >
> > Yes, I considered pointing --with-raddb-dir=/tmp/trash or so. But I
>
> I am not sure but does that mean that the binary that you
> create would point to that directory too. So in that case,
> you would have to specify the real directory at runtime too.
>
> > don't want a one-time installation problem to require attention
> > whenever I run the service in the future. It is then something to
> > remember constantly (and to document for on-duty personnel
> etc. ...),
> > only to fix a single-shot problem. It just doesn't sound
> right to me.
>
> Yes, I had not seen it from that point of view.
>
> >
> > Greetings,
>
> Have a nice day!
>
> >
> > Stefan
> >
> > --
> > Stefan WINTER
> > Ingenieur de Recherche
> > Fondation RESTENA - Réseau Téléinformatique de l'Education
> Nationale
> > et de la Recherche 6, rue Richard Coudenhove-Kalergi
> > L-1359 Luxembourg
> >
> > Tel: +352 424409 1
> > Fax: +352 422473
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> Nicolas Goutte
>
>
> extragroup GmbH - Karlsruhe
> Waldstr. 49
> 76133 Karlsruhe
> Germany
>
> Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
> Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.:
> 337/5903/0421 / UstID: DE 204607841
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

http://www.hud.ac.uk/images/emails/neutral_navy_blue_003976.gif"; 
alt="Inspiring tomorrow's professionals">
---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: rlm_ldap: ldap_search() failed: Operations error

[Leighton Man]

I suffered with this for a while. I my case it was because a lookup against the 
AD root failed. I had to specify a container. Since I needed to look in 
different containers, a bit of "unlang" and Alan and Ivan's help fixed it.
Hope this helps,
Leighton


From: freeradius-users-bounces+l.j.man=hud.ac...@lists.freeradius.org 
[mailto:freeradius-users-bounces+l.j.man=hud.ac...@lists.freeradius.org] On 
Behalf Of Alba
Sent: 01 July 2009 22:45
To: FreeRadius users mailing list
Subject: Fwd: rlm_ldap: ldap_search() failed: Operations error

> It's a magic LDAP && Active directory issue.

:-)

Thanks!


On Wed, Jul 1, 2009 at 3:15 PM, Alan DeKok 
mailto:al...@deployingradius.com>> wrote:
Alba wrote:
> Thanks Alan, I'll try it.
>
> Do you know the cause of this message? Is it a bug or a configuration issue?

 It's a magic LDAP && Active directory issue.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




http://www.hud.ac.uk/images/emails/neutral_navy_blue_003976.gif"; 
alt="Inspiring tomorrow's professionals">
---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Not doing Peap/ttls

[Leighton Man]

> > Help please and sorry for the long post. Quick description
> of the problem:
> > New build Freeradius 2.1.4/5 on solaris x86 vmware. Client
> is a laptop
> > running windows XP through a cisco switch configured for 802.1x.
> > Will not do peap. Reconfigure the switch to use a different
> freeradius
> > server (2.1.3 on sparc solaris) and it works fine.
> > Output of raduisd -X on the non-working server below.
>
> Hm, is your (non-working) radius server multihomed? Is switch
> sending packets to one IP and getting them back from another.
> Clients will ignore packets from unknown servers just like
> servers ignore packets from unknown clients.
>
> Ivan Kalik
> Kalik Informatika ISP

Of course, in order to ignore the packet, it first has to receive it!
Network access list blocking new server.

Many thanks for helping again.

Leighton

http://www.hud.ac.uk/images/emails/neutral_navy_blue_003976.gif"; 
alt="Inspiring tomorrow's professionals">
---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Login to Cisco devices through freeradius

[Leighton Man]

 

There is nothing related to eap to comment out in these files...
Should I create a certificate? Is it compulsory?


  
Hi,
I've just struggled through all this so it's nice to try and help. Always take 
note of the FIRST error message in the debug. The later ones can be confusing 
if you don't understand what's going on. 
Your problem seems to be that the server can't read the certificate files. If 
they aren't there, it won't be able to. When I compiled freeradius it generated 
test certificates itself (after tweaking the Makefile). Are you using the 
latest version?

You must have certificates to do SSL. They live in the raddb/certs directory.

Regards,

Leighton
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Config. Help please - ldap and Active Directory

[Leighton Man]

> And many requests later you ask about it:
> 
> >++? if (control:Tmp-String-0 == "ldap-student")
> >(Attribute control:Tmp-String-0 was not found)
> 
> .. and it's not there. Of course it's not, since it wasn't 
> set during processing of that Access-Request but much earlier 
> in the exchange.

Obvious when it's pointed out but I really don't understand the whole process 
yet. I'll keep reading the docs until I do!
 
> I would suggest that you move unlang statements to 
> inner-tunnel virtual server. You can do update reply and set 
> Reply-Message in authorize there (forget about temp attribute 
> and changeing it in post-auth). Just enable 
> use_tunneled_reply in peap section of eap.conf and 
> Reply-Message will be passed on from inner tunnel into the 
> final reply.
> 

All working now. Thank you.

Leighton
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Config. Help please - ldap and Active Directory

[Leighton Man]

> Can you post the whole debug, not just snipetts. Are these
> from the same or from different requests in the exchange?
> Perhaps you need use_tunneled_reply rather than this.
>
Here's the complete debug (excluding the server start-up messages). There's 
rather a lot of it which is why I tried to post the bits relevant to what I'm 
trying (rather unsuccessfully :-) ) to understand.

Leighton


rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36, 
length=148
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x0203000d01636d73786c656967
Message-Authenticator = 0xbc90b1b0b5ceba80a6767ff94c59ed43
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
NAS-IP-Address = 10.127.240.217
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap_staff] performing user authorization for cmsxleig
[ldap_staff]expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> 
(sAMAccountName=cmsxleig)
[ldap_staff]expand: ou=staff, dc=ad, dc=hud, dc=ac, dc=uk -> ou=staff, 
dc=ad, dc=hud, dc=ac, dc=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0
rlm_ldap: bind as 
cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to 
burns.hud.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=staff, dc=ad, dc=hud, dc=ac, dc=uk, with 
filter (sAMAccountName=cmsxleig)
rlm_ldap: object not found or got ambiguous search result
[ldap_staff] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap_staff] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++- entering else else {...}
[ldap_student] performing user authorization for cmsxleig
[ldap_student]  expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) -> 
(sAMAccountName=cmsxleig)
[ldap_student]  expand: ou=students, dc=ad, dc=hud, dc=ac, dc=uk -> 
ou=students, dc=ad, dc=hud, dc=ac, dc=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0
rlm_ldap: bind as 
cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to 
burns.hud.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with 
filter (sAMAccountName=cmsxleig)
[ldap_student] looking for check items in directory...
[ldap_student] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the 
user is configured correctly?
[ldap_student] user cmsxleig authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap_student] returns ok
+++? if (ok)
? Evaluating (ok) -> TRUE
+++? if (ok) -> TRUE
+++- entering if (ok) {...}
[control] returns ok
+++- if (ok) returns ok
+++ ... skipping else for request 0: Preceding "if" was taken
++- else else returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may 
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 36 to 10.127.240.217 port 1645
EAP-Message = 0x010400160410d7424da981434c0db858d196aa1331b4
Message-Authenticator = 0x
State = 0x5de163455de567c927acd591e49a319b
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=37, 
length=159
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x020400060319
Message-Authenticator = 0x4dbcf0832938a2550152bfdcb815ec8c
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
State = 0x5de163455de567c927acd591e49a319b
NAS-IP-Address = 10.127.240.217
+- entering group authorize {..

RE: Config. Help please - ldap and Active Directory

[Leighton Man]

> 
>   Update a server-side attribute when you use the module:
> 
> update control {
> Tmp-String-0 = "ldap-student"
> }
> 
>   then in post-auth:
> 
>   if (control:Tm-String-0 == "ldap-student") {
> ...
> 
>   }
>
I'm really grateful for all your help but it still doesn't work and after hours 
of experimenting, here's where I am:

I add 

if (control:Tmp-String-0 == "ldap-student") {
 update reply {
   Reply-Message := "User is student"
 }
}
To the end of the post-auth section and radiusd -X reports:

++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
++? if (control:Tmp-String-0 == "ldap-student")
(Attribute control:Tmp-String-0 was not found)
Sending Access-Accept of id 53 to 10.127.240.217 port 1645

Fair enough - The user is authenticated but Tmp-String-0 hasn't been assigned a 
string.

I add 

update control {
   Tmp-String-0 = "ldap-student"
}
To the beginning of the post-auth section and radiusd -X reports:

++[eap] returns ok
+- entering group post-auth {...}
++[control] returns noop
++[exec] returns noop
++? if (control:Tmp-String-0 == "ldap-student")
? Evaluating (control:Tmp-String-0 == "ldap-student") -> TRUE
++? if (control:Tmp-String-0 == "ldap-student") -> TRUE
++- entering if (control:Tmp-String-0 == "ldap-student") {...}
+++[reply] returns noop
++- if (control:Tmp-String-0 == "ldap-student") returns noop
Sending Access-Accept of id 101 to 10.127.240.217 port 1645

OK so far, so I move

update control {
   Tmp-String-0 = "ldap-student"
}

To the authorise section thus:

ldap_staff
if (ok) {
update reply {
Reply-Message = "ldap-staff"
}
}
else {
  ldap_student
  if (ok) {
update control {
   Tmp-String-0 = "ldap-student"
}
  }
  else {
   reject
  }
}

And I get:

 ++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
++? if (control:Tmp-String-0 == "ldap-student")
(Attribute control:Tmp-String-0 was not found)
Sending Access-Accept of id 129 to 10.127.240.217 port 1645

Towards the beginning of the debug output is:

rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with 
filter (sAMAccountName=cmsxleig)
[ldap_student] looking for check items in directory...
[ldap_student] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the 
user is configured correctly?
[ldap_student] user cmsxleig authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap_student] returns ok
+++? if (ok)
? Evaluating (ok) -> TRUE
+++? if (ok) -> TRUE
+++- entering if (ok) {...}
[control] returns ok
+++- if (ok) returns ok
+++ ... skipping else for request 0: Preceding "if" was taken
++- else else returns ok
++[expiration] returns noop
++[logintime] returns noop

Does "[control] returns ok" mean the string was successfully assigned? If 
so, how do I find where it gets lost? 
A search for ldap-s through the file only produces two matches, one where the 
string is assigned and the other where it is tested. Similarly a search for 
Tmp-Str only finds two matches.

History | grep vi shows I haven't accidentally edited another file.

Leighton

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Config. Help please - ldap and Active Directory

[Leighton Man]

> 
>   see "man unlang".  The syntax and examples are documented.
>
Read it many times. The problem is not the documentation, which is great, but 
my understanding which isn't!
I'm working on it but finding it heavy going.
> 
>...
>ldap_staff
>if (ok) {
>   update reply {
>...
>   }
>}
>else {
>  ldap_student
>  if (ok) {
> update reply {
>  ...
> }
>  }
>  else {
>   reject
>  }
>}

Logic now working correctly - Many thanks
Final problem is to return reply attributes in the access accept message. As a 
test I added Reply-Message := "User is staff" in the update reply section and 
the server duly added it to the next access challenge message. I assume I need 
something in the post-auth section?
How do I pass information about which ldap instance was successful in the 
authorize section to post-auth?

Leighton
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Config. Help please - ldap and Active Directory

[Leighton Man]

> Now I'm trying to return different reply attributes 
> depending on Active Directory group membership and restrict 
> which groups can authenticate. Ldap lookups against the 
> active directory root fail with operation error. 
> Reconfiguring Active Directory is not a viable option so I 
> have to specify an OU= in the query. I have configured 
> two instances of the ldap module for authorisation, one to 
> query the staff ou and the other to query the student ou. 
> Both work OK for valid queries but if the user does not exist 
> in the ou the server still authenticates the 
> username/password and grants access if valid.
> 
> You need to upgrade to 2.x and use unlang. See man unlang on 
> freeradius site. You need something like:
> 
> if Ldap-Group == staff { do something }
> elsif Ldap-Group == student { do something else} else update 
> control { to reject }
> 


I've upgraded to 2.1.3 but, sorry, I'm really struggling with the concepts.
I can't do "if Ldap-Group" because there is no container in Active Directory 
above staff and student to query.

What I think I need is:

if ladp_staff returns "ok" {
update reply{
..
  }
elsif ladp_student returns "ok" {
update reply{
..
  }
else {
  Auth-Type := Reject
}

,where ldap_staff and ldap_student are instances of the ldap module
I simply can't get the syntax right.
Am I on the right track? If so, a little help please.

Regards,
Leighton
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Config. Help please - ldap and Active Directory

[Leighton Man]

  Hmm... would it be possible to have to give *more* output? i.e. start from a 
fresh directory:

$ tar -zxf freeradius-server-2.1.3.tar.gz $ cd freeradius-server 2.1.3 $ 
./configure $ gmake

  And show the errors (not the dozens of lines saying "building foo", or the 
last dozen lines saying "error"), but the real informative errors about 
building dict.c, and what errors were encountered building dict.c.

  The only way I can see that error happening is if the source and/or build 
process is broken.

  Alan DeKok.


>From the beginning:

rm -rf freeradius-server-2.1.3
tar xvf freeradius-server-2.1.3.tar (it's already been unzipped with "gzip -d")
cd freeradius-server-2.1.3
./configure | grep configure

...Lots of output including:
configure: WARNING: pcap library not found, silently disabling the RADIUS 
sniffer.
config.status: WARNING:  ./Make.inc.in seems to ignore the --datarootdir setting
config.status: WARNING:  ./src/include/build-radpaths-h.in seems to ignore the 
--datarootdir setting
configure: WARNING: silently not building rlm_counter. 
configure: WARNING: FAILURE: rlm_counter requires:  libgdbm.
configure: WARNING: EVP_sha256 not found, may have issues wirh WiMAX 
certificates
configure: WARNING: the TNCS libraryconfigure: WARNING: silently not building 
rlm_ippool.
configure: WARNING: FAILURE: rlm_ippool requires:  libgdbm. isn't found!
configure: WARNING: silently not building rlm_perl.
configure: WARNING: FAILURE: rlm_perl requires:  EXTERN.h perl.h libperl.so.
configure: WARNING: silently not building rlm_eap_tnc.
configure: WARNING: FAILURE: rlm_eap_tnc requires:  -lTNCS.
configure: WARNING: silently not building rlm_eap_ikev2.
configure: WARNING: FAILURE: rlm_eap_ikev2 requires:  libeap-ikev2 
EAPIKEv2/connector.h.
configure: WARNING: the comm_err library isn't found!
configure: WARNING: silently not building rlm_krb5.
configure: WARNING: FAILURE: rlm_krb5 requires:  krb5.h.configure: WARNING: 
silently not building rlm_python.
configure: WARNING: FAILURE: rlm_python requires:  Python.h libpython2.3.
configure: WARNING: silently not building rlm_sql_iodbc.
configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h.
configure: WARNING: oracle headers not found.  Use 
--with-oracle-home-dir=.
configure: WARNING: silently not building rlm_sql_oracle.
configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h.
configure: WARNING: silently not building rlm_sql_unixodbc.
configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h.

Then:

gmake

Got the error about undefined symbol SUN_LEN
Edited src/include/radiusd.h

Gmake

...and it all compiles OK.
Not sure what I did wrong the first time but many thanks for your help.

Leighton
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Config. Help please - ldap and Active Directory

[Leighton Man]

  Huh?  It compiles on 3-4 different Solaris boxes that I have access to.

  Did you run "make" from the TOP directory, or by cd'ing to src/lib?

  Alan DeKok.

Tried "gmake" from the top directory and "gcc -g -O2 -D_REENTRANT 
-D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS 
-I/export/home/cmsxljm/freeradius-server-2.1.3/src -c dict.c  -fPIC -DPIC -o 
.libs/dict.o" (copy and paste from the gmake output) from the src/libs 
directory. Same error both times.

Leighton
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Config. Help please - ldap and Active Directory

[Leighton Man]

 
>I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) 
>so please have patience.
>I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to 
>authenticate against Active Directory using ntlm-auth.
>All working OK.
>Now I'm trying to return different reply attributes depending on Active 
>Directory group membership and restrict which groups can authenticate. Ldap 
>lookups against the active directory root fail with operation error. 
>Reconfiguring Active Directory is not a viable option so I have to specify an 
>OU= in the query. I have configured two instances of the ldap module for 
>authorisation, one to query the staff ou and the other to query the student 
>ou. Both work OK for valid queries but if the user does not exist in the ou 
>the server still authenticates the username/password and grants access if 
>valid.

You need to upgrade to 2.x and use unlang. See man unlang on freeradius site. 
You need something like:

if Ldap-Group == staff { do something }
elsif Ldap-Group == student { do something else} else update control { to 
reject }

Ivan Kalik
Kalik Informatika ISP

Many thanks for this. I'm using 1.1.7 because it's available as a pre-built 
package on solaris for both sparc and x86 architectures. The idea is to get 
freeradius configured and working as fast as possible so it can be demo'd to 
management (I'm trying to retire Cisco ACS). Then to test it on x86 standard 
build which is being developed in parallel. Then, if all works, upgrade to 
latest version.
Version 2.1.3 won't compile on my solaris box and the problem looks, to me, 
non-trivial. (dict.c:83: error: `PW_TYPE_STRING' undeclared here (not in a 
function))

Is there any way to do what I want without upgrading?

Regards,

Leighton
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Config. Help please - ldap and Active Directory

[Leighton Man]

Hi,
I'm new to freeradius (3 weeks experience) and mailing lists (second attempt) 
so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to 
authenticate against Active Directory using ntlm-auth.
All working OK.
Now I'm trying to return different reply attributes depending on Active 
Directory group membership and restrict which groups can authenticate. Ldap 
lookups against the active directory root fail with operation error. 
Reconfiguring Active Directory is not a viable option so I have to specify an 
OU= in the query. I have configured two instances of the ldap module for 
authorisation, one to query the staff ou and the other to query the student ou. 
Both work OK for valid queries but if the user does not exist in the ou the 
server still authenticates the username/password and grants access if valid. 
Relevant debug output:

rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with 
filter (sAMAccountName=stafftest)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap_student" returns notfound for request 8
modcall: leaving group student (returns notfound) for request 8
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
  rlm_eap: Request found, released from the list

...

 rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap: Success
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 8
modcall: leaving group authenticate (returns ok) for request 8
Sending Access-Accept of id 104 to 10.127.240.217 port 1645
 
Relevant bits of radiusd.conf:

ldap ldap_student{
server = "server.hud.ac.uk"
identity = 
"cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk"
password = secret
port = 636
basedn = "ou=students, dc=ad, dc=hud, dc=ac, dc=uk"
filter = "(sAMAccountName=%{mschap:User-Name:-%{User-Name}})"
start_tls = no

   access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
 groupname_attribute = cn
 groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
 groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}



instantiate {
exec
expr
ldap_staff
ldap_student
}

authorize {
preprocess
mschap
suffix
eap
Autz-Type staff{
ldap_staff
}
Autz-Type student{
ldap_student
}
files
}

authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}

I want to reject the user if they are not in the relevant ou. I must be missing 
something obvious. Can anyone help please?

Thanks in advance,
Leighton

 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html