Re: I would like help for Freeradius integration on AD domain
On 31/05/11 14:39, edgardolenza wrote: Hello everybody, Hello I apologize because I'm new with linux and freeradius also. I've readen many forums and many howtos but I've got some trouble with user authentication on domain controller. This is my working layout: -I've got an appliance (radius client) getting authentication requests from users. -the client radius sends authentication requests to the freeradius (using CHAP) -freeradius has to ask to AD if the user can be authenticated If you want to use AD, you'll be needing to use MSCHAPv2, realistically. Most likely inside PEAP, as this is what the MS supplicants use. Others may also play with EAP-TTLS, but from what I've seen dealing with 802.1x stuff here, it's nearly always MS-CHAPv2 on the inside (although there are sometimes others available as well) I've configured many things and I've done many tests: freeradius server seems working correctly. The machine is in Microsoft domain, I'm able to make queries on ADs. When I try to authenticate with domain's I've got problems: I've put the debug on bottom of this message. You need to make sure the freeradius server is joined to the domain (therefore Samba must be installed). Also, you'll need winbindd running. *snip* Module: Instantiating module mschap from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes ntlm_auth = /user/bin/ntlm_auth --request-nt-key --username=radiustest } Obviously you'll be wanting to fix the ntlm_auth line as well. Hope this helps. -- Martin GoldstoneKeele University, Keele, IT Systems AdministratorStaffordshire, United Kingdom, ST5 5BG Finance ITTelephone: +44 1782 734457 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)
Hello, Just looking for a bit of advice here. I've been setting up freeradius here recently, and whilst I'm mostly finished, there are a few points that still need to be addressed. The main one is sending a (semi) meaningful reply message when a user is rejected. Unfortunately, I'm having trouble figuring out how to return a Reply-Message from with in the inner tunnel. Well, to be more specific, returning that Reply-Message within the final Access-Reject. So far, I've figured that I can update outer.reply within the inner tunnel, but this gets sent out in an Access-Challenge follows the initial failure, but not subsequently. I've tried to put the update clause within Post-Auth-Type REJECT {}, both in the inner tunnel and outside as well, with no sucess (the inner one appears never to be called), the outer one has no knowledge of what was set in the inner one, so I could set an arbitrary message such as failed, but I was hoping to be a little more helpful than that. Any pointers as to where to look/what to do, or even if this is possible, would be appreciated. Thanks in advance, Martin -- Martin GoldstoneKeele University, Keele, IT Systems AdministratorStaffordshire, United Kingdom, ST5 5BG Finance ITTelephone: +44 1782 734457 attachment: m_j_goldstone.vcf- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)
On 24/05/11 12:46, Phil Mayers wrote: On 24/05/11 12:16, Martin Goldstone wrote: Hello, Just looking for a bit of advice here. I've been setting up freeradius here recently, and whilst I'm mostly finished, there are a few points that still need to be addressed. The main one is sending a (semi) meaningful reply message when a user is rejected. Unfortunately, I'm having trouble figuring out how to return a Reply-Message from with in the inner tunnel. Well, to be more specific, returning that Reply-Message within the final Access-Reject. Do you have this in eap.conf: eap { peap { use_tunneled_reply = yes } } ? Yes, I have this in both the peap stanza and the ttls stanza. This seems to be fine when access is accepted, for example if I set a Reply-Message saying Welcome in the post-auth section of the inner-tunnel config, I see this in the final access-accept message. Also, the output from freeradius -X suggests that (in the case of a user rejection) it gets the reply from the tunnel and that tunneled authentication is rejected, but immediately after that it sends an Access-Challenge out, and then upon receipt of another Access-Request, goes in to peap, figures it has already rejected this one, and finally sends an Access-Reject, but without any Reply-Message I tried to set in the inner-tunnel. If I put something in the Post-Auth REJECT section of the outer tunnel, it works, but unfortunately at this point it has no idea of what it had previously set as a Reply-Message, so I can only send an arbitrary string, such as Authentication Failure, which is a little obvious and unhelpful. Thanks -- Martin GoldstoneKeele University, Keele, IT Systems AdministratorStaffordshire, United Kingdom, ST5 5BG Finance ITTelephone: +44 1782 734457 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html