Problems with number of instances of freeradius
Hello, heres my Problem: we have freeradius on two different architectures: solaris(debian) and intel(debian) on solaris/debian freeradius starts with five instances on intel/debian it starts with only one instance. If i change the settings in radius.conf there ist no change. Some ideas? regards Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Redundant Radius with Dynamic Data
Title: Nachricht Hello Christopher, here is another suggestion: dont use ippools on radius, use it on the nacs. Then you let the radius decide wich ippool to use on the nac by name. The bad thing is you have to care about pools on nacs, the good one is you haven't to care about pool snyc. It works because you can name pools on nacs an the radius can tell the nac wich pool to use. Hope that helps. Best Regards, Markus -Ursprüngliche Nachricht-Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED]Gesendet: Mittwoch, 30. März 2005 12:46An: freeradius-users@lists.freeradius.orgBetreff: Redundant Radius with Dynamic Data Hello Group,I am just about to set up a radius service and have managed to aquire 2 servers with a view to making the end product redundant.Just to give you a little background. The radius system will be used for DSL authentication. The user will authenticate (indirectly via a cisco device) with their [EMAIL PROTECTED] & password. The server will then authorise the user and respond with a single attribute - their IP address.The IP addresses (depending on which domain they are in) will be dynamically allocated from a pool of IP addresses. So far so good.I don't intend to perform any load balancing of the traffic to the two radius servers. Therefore I was planning to use the features on the Cisco router to treat one server as primary and one as secondary (failover).I will most likely use rsync to syncronise the config from the primary to the secondary. My problem (and hence the reason for this post) is that the primary would be holding accounting information regarding which IP addresses have been allocated to each user from the "pool" - thus avoiding any IP conflict on the edge network. I do not understand how I would be able to configure the two servers so that if the Primary failed the secondary would know which IPs had been allocated and continue to allocate from the remaining pool.I have literally only just switched the servers on. I want to get this right from the start. If I cannot find a solution to this issue I have a back out plan that involves setting each user with a static IP, not ideal.Is an SQL backend the best method? Would a shared SQL backend maintain the integrity of the allocated IP pool? I have experience with Freeradius and would like to continue with this platform, but is it the best one for what I am attempting?I look forward to your responses to this question.Best Regards,Christopher Howarth RHCENetwork & Systems Development ConsultantEquinox Converged Solutions Equinox Converged SolutionsTel: +44 (0)1252 405 600www.equinoxsolutions.comEquinox Converged Solutions is a trading name of Synetrix Holdings Limited. IMPORTANT NOTICE:This message is intended solely for the use of the Individual or organisation to whom it is addressed. It may contain privileged or confidential information. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you should not use, copy, alter, or disclose the contents of this message. All information or opinions expressed in this message and/or any attachments are those of the author and are not necessarily those of Synetrix Holdings Limited. Synetrix Holdings Limited accepts no responsibility for loss or damage arising from its use, including damage from virus. �
Radius sends Attributes even to rejected users
I have the following entry in my usersfile: testuser1 Huntgroup-Name == vpngroup Framed-IP-Address = 10.0.0.1 Fall-Through = yes testuser1 Huntgroup-Name == vpngroup Framed-IP-Address = 10.0.0.1 Fall-Through = yes DEFAULT Huntgroup-Name == vpngroup, Auth-Type := LDAP Cisco-AVPair = "ip:inacl#1=permit ip 10.0.0.0 0.0.0.255 10.10.0.0 0.0.0.63", Cisco-AVPair += "ip:inacl#2=deny ip any any", Fall-Through = no DEFAULT Auth-Type := Reject When the user gets authenticated everything works fine, even if he comes from a device wich doesnt belong to the huntgroup but if the user gets rejected (bad password or username) i get an access reject packet AND the ACLs. Why will the Cisco-AVPairs be send even if the authentication is rejected? Regards Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rejectet Authentication results in sending VSA
I have the following entry in my usersfile: testuser1 Huntgroup-Name == vpngroup Framed-IP-Address = 10.0.0.1 Fall-Through = yes testuser1 Huntgroup-Name == vpngroup Framed-IP-Address = 10.0.0.1 Fall-Through = yes DEFAULT Huntgroup-Name == vpngroup, Auth-Type := LDAP Cisco-AVPair = "ip:inacl#1=permit ip 10.0.0.0 0.0.0.255 10.10.0.0 0.0.0.63", Cisco-AVPair += "ip:inacl#2=deny ip any any", Fall-Through = no DEFAULT Auth-Type := Reject When the user gets authenticated everything works fine, even if he comes from a device wich doesnt belong to the huntgroup but if the user gets rejected (bad password or username) i get an access reject packet AND the ACLs. Why will the Cisco-AVPairs be send even if the authentication is rejected? Regards Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: freeradius doesn't send cisco-avpairs
> > I have following entry in the users file: > bob User-Password == "bob" > Cisco-AVpair = "access-list 188 deny ip any any", > Fall-Through = YES > > Whats wrong? > try it like this: Cisco-AVPair = "ip:inacl#1=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63", Cisco-AVPair += "ip:inacl#2=permit ip a.a.a.a 0.0.0.255 b.b.b.b 0.0.0.63" the first row needs no + after =, the second one and following needs it. Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: Obtain IP Address from AD/LDAP
well, i got this: freeradius -X Sending Access-Accept of id 252 to 10.72.33.93:32768 Framed-IP-Address = -1407490193 and the radtest gets an Framed-IP-Address = 255.255.255.255 i recorded with tcpdump that the freeradius sends this: Access Accept (2), id: 0xff, Authenticator: 17a1e40da579e4dbbde5cf54d0987873 Framed IP Address Attribute (8), length: 6, Value: User Selected 0x: everytime there is a negativ value it is send as . so i guess that this is os specific :-( i use freeradius1.1.0-pre0 on intel/debian sarge I think the best way is to open a featurerequest that freeradius converts signed integers to unsigned integers. > -Ursprüngliche Nachricht- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im > Auftrag von Dustin Doris > Gesendet: Dienstag, 11. Januar 2005 18:19 > An: freeradius-users@lists.freeradius.org > Betreff: Re: AW: Obtain IP Address from AD/LDAP > > > I think it should be OK. I just did a basic test with > radclient. Here is what radiusd -X showed me. > > Sending Access-Accept of id 52 to 127.0.0.1:2673 > Framed-IP-Address = -1407490193 > > Here is what radclient showed me. > > Received response ID 52, code 2, length = 26 > Framed-IP-Address = 172.27.103.111 > > What does radiusd -X show you? > > > > On Tue, 11 Jan 2005 [EMAIL PROTECTED] wrote: > > > Next Problem, > > > > MS AD saves the IP Address as signed INT32 so i didnt get an IP > > Address back, some ideas how i can convert such a thing? As > Example: > > 172.27.103.111 is saved as -1407490193 > > > > Markus > > > -Ursprüngliche Nachricht- > > > Von: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] Im > Auftrag von > > > Dustin Doris > > > Gesendet: Montag, 10. Januar 2005 15:08 > > > An: freeradius-users@lists.freeradius.org > > > Betreff: Re: Obtain IP Address from AD/LDAP > > > > > > > > > > > > > Hello and Happy new Year, > > > > > > > > here is my prob, hope someone can help me. > > > > I use freeradius to authenticate users against MS Active > > > > directory. Most of my users obtain their Ips from ippool within > > > radius, but some > > > > should obtain their Address from AD. Who do i get the > > > Address out of > > > > the AD and can assign it to my user? > > > > > > > > Regards > > > > > > > > Markus > > > > > > > > > > Find the ldap attribute in AD with their IP address and netmask. > > > Lets say its msipaddr and msipmask. Edit ldap.attrmap > and point the > > > correct radius attributes to the correct ad ldap attributes. > > > > > > eg > > > > > > replyItem Framed-IP-Address msipaddr > > > replyItem Framed-IP-Netmask msipmask > > > > > > In your ippool configuration, make sure you have the following > > > > > > override = no > > > > > > Restart radius. > > > > > > Now when the user is authorized it will search for reply > items. It > > > will look for msipaddr and msipmask and make those values the > > > framed-ip-address and framed-ip-netmask. The override = no, will > > > tell rlm_ippool not to override those values. So, if those are > > > already set, then rlm_ippool won't give that user an IP. > > > > > > -Dusty Doris > > > > > > - > > > List info/subscribe/unsubscribe? See > > > http://www.freeradius.org/list/users.html > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Obtain IP Address from AD/LDAP
Next Problem, MS AD saves the IP Address as signed INT32 so i didnt get an IP Address back, some ideas how i can convert such a thing? As Example: 172.27.103.111 is saved as -1407490193 Markus > -Ursprüngliche Nachricht- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im > Auftrag von Dustin Doris > Gesendet: Montag, 10. Januar 2005 15:08 > An: freeradius-users@lists.freeradius.org > Betreff: Re: Obtain IP Address from AD/LDAP > > > > > Hello and Happy new Year, > > > > here is my prob, hope someone can help me. > > I use freeradius to authenticate users against MS Active directory. > > Most of my users obtain their Ips from ippool within > radius, but some > > should obtain their Address from AD. Who do i get the > Address out of > > the AD and can assign it to my user? > > > > Regards > > > > Markus > > > > Find the ldap attribute in AD with their IP address and > netmask. Lets say its msipaddr and msipmask. Edit > ldap.attrmap and point the correct radius attributes to the > correct ad ldap attributes. > > eg > > replyItem Framed-IP-Address msipaddr > replyItem Framed-IP-Netmask msipmask > > In your ippool configuration, make sure you have the following > > override = no > > Restart radius. > > Now when the user is authorized it will search for reply > items. It will look for msipaddr and msipmask and make those > values the framed-ip-address and framed-ip-netmask. The > override = no, will tell rlm_ippool not to override those > values. So, if those are already set, then rlm_ippool won't > give that user an IP. > > -Dusty Doris > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Obtain IP Address from AD/LDAP
Hello and Happy new Year, here is my prob, hope someone can help me. I use freeradius to authenticate users against MS Active directory. Most of my users obtain their Ips from ippool within radius, but some should obtain their Address from AD. Who do i get the Address out of the AD and can assign it to my user? Regards Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: freeradius and RSA SecurID
We're using debian, it's not one of the supportet distries :-( The fact is i won't use RSA Radius because as i heard it costs much more then only the ACE. Markus > -Ursprüngliche Nachricht- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im > Auftrag von Michael Markstaller > Gesendet: Donnerstag, 9. Dezember 2004 08:39 > An: [EMAIL PROTECTED] > Betreff: RE: freeradius and RSA SecurID > > > I spent quite some time messing around with several versions > of the RSA Agent (PAM and Web) on several distris > (Debian,suse,redhat) and finally came to the conclusion: it's > crap.. We're using pam_radius_auth for securid-authentication > at pam-side, for SSH it works like a charm. > Radius-Auth for securid-users via freeradius gets proxied > direytly to the ACE-radius, also working very smooth; for > apache we're using mod_securid but can also be easily done > via mod_auth_radius. I wouldn't recommend messing up any > freeradius box with these agents. What distri are you running > ? in case it's not exactly one of the "supported" ones, > RSA-support won't help you.. > > Michael > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > > Behalf Of [EMAIL PROTECTED] > > Sent: Thursday, December 09, 2004 8:25 AM > > To: [EMAIL PROTECTED] > > Subject: freeradius and RSA SecurID > > > > Hello, > > > > cause the SecurID Pam Module doesnt work i want to open a > > request at RSA for making the module work. > > So i need some informations: > > > > What does this logline exactly mean? > > > > pam_pass: function pam_authenticate FAILED for . > > Reason: Module is unknown > > > > Regards Markus > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and RSA SecurID
Hello, cause the SecurID Pam Module doesnt work i want to open a request at RSA for making the module work. So i need some informations: What does this logline exactly mean? pam_pass: function pam_authenticate FAILED for . Reason: Module is unknown Regards Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: debian with freeradius and securid PAM Module
freeradius says the following:
rad_check_password: Found Auth-Type pam
auth: type "PAM"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
pam_pass: using pamauth string for pam.conf lookup
pam_pass: function pam_authenticate FAILED for . Reason: Module is
unknown
modcall[authenticate]: module "pam" returns reject for request 0
But i think pam and radius is correctly configured.
users:
DEFAULT Auth-Type=PAM
radius.conf:
pam {
pam_auth = radiusd
}
pam is uncommented in authentication section
pam.d/radiusd:
auth required pam_securid.so
the path is now in the libdir and in /etc/ld.so.conf.
ssh works fine with the module.
Is ist possible to debug PAM?
Markus Wintruff
> > i want to use securid with freeradius on my debian.
> > I have choosen and installed the pam_securid.so Module from RSA und
> > set up pam and freeradius.
>
> PAM may have memory leaks. If at all possible, I would
> suggest using a command-line tool from SecurID to do the
> authentication.
>
> > if a make a radtest everytime a get the following errors in syslog:
> > Nov 17 14:31:49 abrakadabra freeradius: PAM unable to
> > dlopen(/lib/security/pam_securid.so)
>
> It's probably not in the default library path. See
> /etc/ld.so.conf, or edit radiusd.conf, and add
> ':/lib/security' to the end of the 'libdir' directive.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
debian with freeradius and securid PAM Module
Hello, i want to use securid with freeradius on my debian. I have choosen and installed the pam_securid.so Module from RSA und set up pam and freeradius. if a make a radtest everytime a get the following errors in syslog: Nov 17 14:31:49 abrakadabra freeradius: PAM unable to dlopen(/lib/security/pam_securid.so) Nov 17 14:31:49 abrakadabra freeradius: PAM [dlerror: /lib/security/pam_securid.so: undefined symbol: pam_get_item] Nov 17 14:31:49 abrakadabra freeradius: PAM adding faulty module: /lib/security/pam_securid.so when i use the module with ssh it works quite well. Has anybody some ideas? is there anybody who is using securid with freeradius? Regads Markus Wintruff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: rlm_ldap & windows active directory
Search the list Markus > Hello. > Has anybody an example of rlm_ldap using with MS active directory for > authentication ? > > -- > Alexander > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: freeRADIUS and Microsoft Active Directory
Holla Ester, these are all ldap specific things, > At the line about the server, do you mean > server=server.domain ? yes, this has to be your DomainController > After that, must the identity and password be of a > user who can access the AD? Yes, every user you create in AD is allowed to check passwords. You shold disable password expiration for this user > And last, what's the basedn field? Well, if you search in AD/LDAP you can choose a basedn, it defines from witch level in the tree your search will start. you shold select a basedn near by your users container, this speeds up the search. Hope this helps. saludes a espana Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: Different authentication based on huntgroup
Yes this is possible. you have to create huntgroups and then compare your users with these huntgroups eg like this: DEFAULT Huntgroup-Name == groupa, Auth-Type := LDAP Fall-Through = no and so on. Markus Wintruff > -Ursprüngliche Nachricht- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im > Auftrag von Graeme Hinchliffe > Gesendet: Dienstag, 24. August 2004 11:06 > An: FreeRADIUS list > Betreff: Different authentication based on huntgroup > > > Hiya, > I need to be able to provide 2 completely different > authentications which are dependant on the NAS that the > request comes from. Both authentication requests will come > for the same user from each NAS in turn, the 1st NAS I need > to respond with an accept regardless of the username/password > being valid, the 2nd is more standard and will need to take > into account the username/password correctly. > > My current line of thinking is to run 2 copies of freeradius > on the box. One copy listens to the loopback interface only, > and is the one that always accepts requests. The other > listens to the public IP address and proxies requests to the > local-only copy of freeradius. > > Would be nice to only have one copy of freeradius running on > the box tho. Anyone know if it is possible to select > authentication method based on huntgroup (both using same SQL > server also). > > Thanks > > > -- > - > Graeme Hinchliffe (BSc) > Core Internet Systems Designer > Zen Internet (http://www.zen.co.uk/) > > Direct: 0845 058 9074 > Main : 0845 058 9000 > Fax : 0845 058 9005 > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: freeradius port 1814
Thanks thats it ;-) Markus Wintruff -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Graeme Hinchliffe Gesendet: Mittwoch, 18. August 2004 14:52 An: FreeRADIUS list Betreff: Re: freeradius port 1814 On Wed, 2004-08-18 at 13:41, [EMAIL PROTECTED] wrote: > Hello, > > does anybody know why freeradius opens a Port 1814(tdp-suite)? proxy 1812 - RADIUS 1813 - RADACCT 1814 - ProxyRADIUS I would believe -- - Graeme Hinchliffe (BSc) Core Internet Systems Designer Zen Internet (http://www.zen.co.uk/) Direct: 0845 058 9074 Main : 0845 058 9000 Fax : 0845 058 9005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius port 1814
Hello, does anybody know why freeradius opens a Port 1814(tdp-suite)? Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: LDAP authorization filter question
Maybe huntgroups are that what you are looking for.
Markus
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von J. Fowler
Gesendet: Dienstag, 17. August 2004 00:08
An: [EMAIL PROTECTED]
Betreff: LDAP authorization filter question
Hello,
( radiusd: FreeRADIUS Version 1.0.0-pre3 ) solaris, iplanet directory
server 5.2 ...
We are attempting to authenticate multiple users based on which
Called-Station-ID or NAS-IP-Address. We would like to dynamically build
the LDAP search filter based on the originating source. Is this
possible? What I would like to do is set the attribute "userclass" to
some value and use the value in the LDAP filter. If this is not
possible, how can i authorzie multiple sources using unique ldap search
filters?
users file:
DEFAULTCalled-Station-ID =~ "$|$|$", Auth-Type := LDAP
userClass = ourDialup,
Fall-Through = No
DEFAULTNAS-IP-Address == 192.168.1.150, Auth-Type := LDAP
userClass = ourWiFi,
Fall-Through = No
DEFAULTAuth-Type := Reject
Reply-Message = "UNKNOWN Authentication method"
radiusd.conf
ldap {
identity = "uid=someuser,ou=site,dc=..."
password =
basedn = "ou=site ... t"
filter = "(&(uid=%{User-Name})(userClass=%{userclass}))"
...
}
Debug information showing ldapsearch filter NOT being set.
rlm_ldap: - authorize
rlm_ldap: performing user authorization for test666
radius_xlat: '(&(uid=test666)(userClass=))'
radius_xlat: 'o=cvip.net'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
Any help would be greatly appreciated.
Thanks,
Jay
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: freeRADIUS and Microsoft Active Directory
Hello Chris,
We use users in different ou's and it works fine.
You have to use a basedn at the top of your ad.
Markus
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Kellogg, Chris
Gesendet: Freitag, 13. August 2004 18:03
An: [EMAIL PROTECTED]
Betreff: RE: freeRADIUS and Microsoft Active Directory
This is great information, thanks!
By the way, I found that 'UserPrincipalName' did not work; I used 'sAMAccountName'
with success.
It leads to a couple new questions, however. What about people who have users broken
into multiple OUs in their Active Directory? The BaseDN option in radiusd.conf
appears to focus the username search to the particular OU container indicated; nothing
underneath that OU will be checked. It's also apparently not possible to just give
the top container and have it search.
I'm not an AD expert, so I might be missing a simple solution.
I am also trying to verify membership in a specific group; LDAP can't find it, and I'm
wondering if anyone has enountered this before. I verified the Group was in the same
OU as indicated by basedn, and the user is a member of that group.
What have other people done in these situations?
Chris.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, August 12, 2004 4:30 PM
To: [EMAIL PROTECTED]
Subject: AW: freeRADIUS and Microsoft Active Directory
Hello Hugo,
there is no problem to use FR with AD.
here is an example:
ldap {
server = your.ad.server.org
identity = "(some user, you dosnt need a special one, i createt one
only for asking ad. I have choosen the user principal name)"
password= (the password)
basedn = "dc=your,dc=company,dc=org"
# here you have to choose the filter, i use the UserPrincipalName but
you can choose something else to
filter = "(UserPrincipalName=%u)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#if you want to check if the user is in a special group you can use
this
groupmembership_filter = "(member=%{Ldap-UserDn})"
timeout = 4
timelimit = 3
net_timeout = 1
}
in the authorize and the authentication section you have to uncomment the ldap entry.
Your usersfile shold look like this:
DEFAULT Ldap-Group == (groupname to check for), Auth-Type := LDAP
Fall-Through = no
Good Luck
Markus
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Hugo Sousa
Gesendet: Donnerstag, 12. August 2004 10:44
An: [EMAIL PROTECTED]
Betreff: freeRADIUS and Microsoft Active Directory
Hi all,
Did any of you guys already configured a freeRADIUS with Microsoft Active Directory?
I know that is possibile to configure "FR" with LDAP, so, I think that it's also
possible to do it with AD.
If you could reply me with some example of the .conf files to this particular
situation, that would be just great! :-)
Thanls.
Best regards,
Hugo Sousa
SysAdmin / NetworkAdmin
http://www.netsystems.pt
Portugal
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: freeRADIUS and Microsoft Active Directory
Title: Nachricht
No
didnt tried it.
Markus
Wintruff
-Ursprüngliche Nachricht-Von:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von KP
RaoGesendet: Freitag, 13. August 2004 00:34An:
[EMAIL PROTECTED]Betreff: RE: freeRADIUS and
Microsoft Active Directory
Have
you tired to integrate eap along with AD on
FreeRADIUS.
--kp
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Thursday, August 12, 2004
5:30 PMTo:
[EMAIL PROTECTED]Subject: AW: freeRADIUS and
Microsoft Active Directory
Hello Hugo,
there is no problem to use FR with AD.
here is an example:
ldap
{
server = your.ad.server.org
identity = "(some user, you dosnt need a special one, i createt one only for
asking ad. I have choosen the user principal
name)"
password= (the
password)
basedn = "dc=your,dc=company,dc=org"
#
here you have to choose the filter, i use the UserPrincipalName but you can
choose something else to
filter = "(UserPrincipalName=%u)"
# set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
#
operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# Mapping of RADIUS dictionary attributes to
LDAP
# directory
attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#if
you want to check if the user is in a special group you can use
this
groupmembership_filter =
"(member=%{Ldap-UserDn})"
timeout =
4
timelimit =
3
net_timeout = 1
}
in
the authorize and the authentication section you have to uncomment the ldap
entry.
Your usersfile shold look like this:
DEFAULT Ldap-Group ==
(groupname to check for), Auth-Type :=
LDAP
Fall-Through = no
Good Luck
Markus
-Ursprüngliche Nachricht-Von:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von
Hugo SousaGesendet: Donnerstag, 12. August 2004
10:44An:
[EMAIL PROTECTED]Betreff: freeRADIUS and
Microsoft Active Directory
Hi all,
Did any of you guys already configured a
freeRADIUS with Microsoft Active Directory?
I know that is possibile to configure "FR" with
LDAP, so, I think that it's also possible to do it with AD.
If you could reply me with some example of the
.conf files to this particular situation, that would be just great!
:-)
Thanls. Best
regards, Hugo Sousa SysAdmin / NetworkAdmin http://www.netsystems.pt Portugal
�
AW: freeRADIUS and Microsoft Active Directory
Title: Nachricht
Hello
Hugo,
there
is no problem to use FR with AD.
here
is an example:
ldap
{
server = your.ad.server.org
identity = "(some user, you dosnt need a special one, i createt one only for
asking ad. I have choosen the user principal
name)"
password= (the
password)
basedn = "dc=your,dc=company,dc=org"
#
here you have to choose the filter, i use the UserPrincipalName but you can
choose something else to
filter = "(UserPrincipalName=%u)"
# set this to 'yes' to use TLS encrypted
connections
# to the LDAP database by using the StartTLS
extended
#
operation.
# The StartTLS operation is supposed to be used with
normal
# ldap connections instead of using ldaps (port 689)
connections
start_tls = no
# Mapping of RADIUS dictionary attributes to
LDAP
# directory
attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#if
you want to check if the user is in a special group you can use
this
groupmembership_filter =
"(member=%{Ldap-UserDn})"
timeout =
4
timelimit =
3
net_timeout = 1
}
in the
authorize and the authentication section you have to uncomment the ldap
entry.
Your
usersfile shold look like this:
DEFAULT Ldap-Group ==
(groupname to check for), Auth-Type :=
LDAP
Fall-Through = no
Good
Luck
Markus
-Ursprüngliche Nachricht-Von:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von
Hugo SousaGesendet: Donnerstag, 12. August 2004
10:44An: [EMAIL PROTECTED]Betreff:
freeRADIUS and Microsoft Active Directory
Hi all,
Did any of you guys already configured a freeRADIUS
with Microsoft Active Directory?
I know that is possibile to configure "FR" with
LDAP, so, I think that it's also possible to do it with AD.
If you could reply me with some example of the
.conf files to this particular situation, that would be just great! :-)
Thanls.
Best regards,
Hugo Sousa
SysAdmin /
NetworkAdmin http://www.netsystems.pt Portugal
�
AW: Instanciated ldap_groupcmp()
>> Ah. But the module still registers a callback for LDAP-Group, even
>> if one already exists. That should probably be double-checked...>
>
>The only way for the ldap module to know if ldap-group has been registered is to keep
>a ldap_group_registered value. In any case >>the ldap module which will be
>instantiated last will be the one that will handle ldap-group comparisons. If we add
>a check that will change to the first ldap module which is instantiated. I think it's
>more or less a matter of personal taste, which module we 'd like to handle ldap-group
>comparisons. Is it really worth the effort. Users can just change the order in which
>the ldap modules are instantiated in order to achieve what they want.
Well, with that when is understood it right there is a Problem in this case:
When there are two ldap instances with different basedns
Radiusd.conf
Ldap a { ...
basedn = {a}
...
}
Ldap b {
basedn = {b}
}
Users
Default ldap-group == A, Auth-Type := a
Default ldap-group == B, Auth-Type := b
Then all users will be ldap-group checked with instance b right?!
But users authenticated with the first entry must be checked with instance a.
Or is my understanding not o.k.?
Greets to grece
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Instanciated ldap_groupcmp()
Hello,
I use freeradius 0.9.3 on debian.
In my radiusd.conf i configured two different ldap instances.
In my user file i have configured different LDAP Groups with different Auth-Types
(Ldap instances)
<>
DEFAULT Huntgroup-Name == ciscovpn, Ldap-Group == G-VPN-GCC, Pool-Name :=
"ippool2", Auth-Type := DATAPORT
Fall-Through = no
DEFAULT Huntgroup-Name == ciscovpn, Ldap-Group == G-VPN-JB-Stawa, Pool-Name :=
"ippool4", Auth-Type := STAWA
Fall-Through = no
<>
<>
ldap DATAPORT {
server = x.x.x.x
identity = "[EMAIL PROTECTED]"
password= password
basedn = "OU=a, DC=my,DC=own,DC=company,DC=de"
filter = "(UserPrincipalName=%u)"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_filter = "(member=%{Ldap-UserDn})"
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap STAWA {
server = x.x.x.x (same AD as above)
identity = "[EMAIL PROTECTED]"
password= password
basedn = "ou=x,ou=y,ou=z,dc=my,dc=own,dc=company,dc=de"
filter = "(UserPrincipalName=%u)"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_filter = "(member=%{Ldap-UserDn})"
timeout = 4
timelimit = 3
net_timeout = 1
}
<>
Now, when a user tries to get authenticated the ldap_groupcmp() always uses one ldap
instance even when the auth-type for the user is a different ldap-instance.
<>
rad_recv: Access-Request packet from host d.d.d.d:32793, id=65, length=90
User-Name = "[EMAIL PROTECTED]"
User-Password = ""
NAS-IP-Address = x.x.x.x
NAS-Port = 123
Framed-Protocol = PPP
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "eap" returns noop for request 0
huntgroups: Matched ciscovpn at 21
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=a,dc=my,dc=own,dc=domain,dc=de'
radius_xlat: '([EMAIL PROTECTED])'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.72.8.24:389, authentication 0
rlm_ldap: bind as [EMAIL PROTECTED]/passwd to d.d.d.d:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=a,dc=my,dc=own,dc=company,dc=de, with filter ([EMAIL
PROTECTED])
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
ldap_release_conn: Release Id: 0
huntgroups: Matched ciscovpn at 21
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=a,dc=my,dc=own,dc=domain,dc=de'
radius_xlat: '([EMAIL PROTECTED])'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=a,dc=my,dc=own,dc=company,dc=de, with filter ([EMAIL
PROTECTED])
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
ldap_release_conn: Release Id: 0
huntgroups: Matched ciscovpn at 21
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'ou=a,dc=my,dc=own,dc=domain,dc=de'
radius_xlat: '([EMAIL PROTECTED])'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=a,dc=my,dc=own,dc=company,dc=de, with filter ([EMAIL
PROTECTED])
rlm_ldap: object not found or got ambiguous search result
rlm_ldap::ldap_groupcmp: search failed
ldap_release_conn: Release Id: 0
users: Matched DEFAULT at 13
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [EMAIL PROTECTED] (from client Self port 123)
Delaying request 0 for 1 seconds
Finished request 0
So the user never gets authenticated.
I saw that kostas made a change to rlm_ldap in 1.0.0 pre for instanciated
ldap_groupcmp() is that my solution?
Regards
Markus Wintruff
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AD authentication, problem with reference
Hy all,
Here is my Problem, hope someone is able to help me.
I use freeradius 0.9.3 on debian. I will ask our companys ad for authentication. The
AD is build up in the following way:
Ou=users,Ou=(fifferent ous), dc=my,dc=company,dc=de
If i ask for a user with basedn Ou=unit, dc=my,dc=company,dc=de everything works fine.
Now i have to ask for different users in different ous, so i use basdn=
dc=company,dc=de now i got an error saying:
Error: rlm_ldap: ldap_search() failed: Opperational Error.
I traced it and saw that i got an reference and the ldap module binds to a different
AD server, the problem is it tries to bind anonymouse, dont know why it doesnt use the
identity i configured.
In the search result there is the anwser i needed to. But how cann i use it without
the reference or how can i say the module to use the configured identity.
Here is the ldap part of my radiusd.conf:
<>
ldap {
server = adserver.my.company.hamburg.de
identity = "[EMAIL PROTECTED]"
password=
basedn = "DC=my,DC=company,DC=hamburg,DC=de"
filter = "(UserPrincipalName=%u)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_filter = "(member=%{Ldap-UserDn})"
timeout = 4
timelimit = 3
net_timeout = 1
}
<>
Is it a bug or e feature ;-)
Regards
Markus Wintruff
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ask active directory(ldap) for authentication. Problem with reference
Hy all,
Here is my Problem, hope someone is able to help me.
I use freeradius 0.9.3 on debian. I will ask our companys ad for authentication.
The AD is build up in the following way:
Ou=users,Ou=(fifferent ous), dc=my,dc=company,dc=de
If i ask for a user with basedn Ou=unit, dc=my,dc=company,dc=de everything works fine.
Now i have to ask for different users in different ous, so i use basdn=
dc=company,dc=de now i got an error saying:
Error: rlm_ldap: ldap_search() failed: Opperational Error.
I traced it and saw that i got an reference and the ldap module binds to a different
AD server, the problem is it tries to bind anonymouse, dont know why it doesnt use the
identity i configured.
In the search result there is the anwser i needed to. But how cann i use it without
the reference or how can i say the module to use the configured identity.
Here is the ldap part of my radiusd.conf:
<>
ldap {
server = adserver.my.company.hamburg.de
identity = "[EMAIL PROTECTED]"
password=
basedn = "DC=my,DC=company,DC=hamburg,DC=de"
filter = "(UserPrincipalName=%u)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupmembership_filter = "(member=%{Ldap-UserDn})"
timeout = 4
timelimit = 3
net_timeout = 1
}
<>
Is it a bug or e feature ;-)
Regards
Markus Wintruff
Betrieb Firewall und serverbasierte Datendienste
____
Dataport
Niederlassung Hamburg
Billstr. 82, 20539 Hamburg
Internet:www.dataport.de
E-Mail: [EMAIL PROTECTED]
Telefon: 040 - 4 28 46 28 78
Telefax: 040 - 4 279 46 878
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
