Re: I would like help for Freeradius integration on AD domain

2011-05-31 Thread Martin Goldstone 
On 31/05/11 14:39, edgardolenza wrote:
 Hello everybody,

Hello

 
 I apologize because I'm new with linux and freeradius also.
 I've readen many forums and many howtos but I've got some trouble with user
 authentication on domain controller.
 
 This is my working layout: 
 -I've got an appliance (radius client) getting authentication requests from
 users.
 -the client radius sends authentication requests to the freeradius (using
 CHAP)
 -freeradius has to ask to AD if the user can be authenticated

If you want to use AD, you'll be needing to use MSCHAPv2, realistically.
 Most likely inside PEAP, as this is what the MS supplicants use.
Others may also play with EAP-TTLS, but from what I've seen dealing with
802.1x stuff here, it's nearly always MS-CHAPv2 on the inside (although
there are sometimes others available as well)

 
 I've configured many things and I've done many tests: freeradius server
 seems working correctly.
 The machine is in Microsoft domain, I'm able to make queries on ADs.
 When I try to authenticate with domain's I've got problems: I've put the
 debug on bottom of this message.

You need to make sure the freeradius server is joined to the domain
(therefore Samba must be installed). Also, you'll need winbindd running.

*snip*

  Module: Instantiating module mschap from file /etc/raddb/modules/mschap
   mschap {
 use_mppe = yes
 require_encryption = yes
 require_strong = yes
 with_ntdomain_hack = yes
 ntlm_auth = /user/bin/ntlm_auth --request-nt-key
 --username=radiustest
   }

Obviously you'll be wanting to fix the ntlm_auth line as well.

Hope this helps.


-- 

Martin GoldstoneKeele University, Keele,
IT Systems AdministratorStaffordshire, United Kingdom, ST5 5BG
Finance  ITTelephone: +44 1782 734457
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)

2011-05-24 Thread Martin Goldstone 
Hello,

Just looking for a bit of advice here.  I've been setting up freeradius
here recently, and whilst I'm mostly finished, there are a few points
that still need to be addressed.  The main one is sending a (semi)
meaningful reply message when a user is rejected.  Unfortunately, I'm
having trouble figuring out how to return a Reply-Message from with in
the inner tunnel.  Well, to be more specific, returning that
Reply-Message within the final Access-Reject.

So far, I've figured that I can update outer.reply within the inner
tunnel, but this gets sent out in an Access-Challenge follows the
initial failure, but not subsequently.  I've tried to put the update
clause within Post-Auth-Type REJECT {}, both in the inner tunnel and
outside as well, with no sucess (the inner one appears never to be
called), the outer one has no knowledge of what was set in the inner
one, so I could set an arbitrary message such as failed, but I was
hoping to be a little more helpful than that.

Any pointers as to where to look/what to do, or even if this is
possible, would be appreciated.

Thanks in advance,

Martin
-- 

Martin GoldstoneKeele University, Keele,
IT Systems AdministratorStaffordshire, United Kingdom, ST5 5BG
Finance  ITTelephone: +44 1782 734457
attachment: m_j_goldstone.vcf-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)

2011-05-24 Thread Martin Goldstone 
On 24/05/11 12:46, Phil Mayers wrote:
 On 24/05/11 12:16, Martin Goldstone wrote:
 Hello,

 Just looking for a bit of advice here.  I've been setting up freeradius
 here recently, and whilst I'm mostly finished, there are a few points
 that still need to be addressed.  The main one is sending a (semi)
 meaningful reply message when a user is rejected.  Unfortunately, I'm
 having trouble figuring out how to return a Reply-Message from with in
 the inner tunnel.  Well, to be more specific, returning that
 Reply-Message within the final Access-Reject.
 
 Do you have this in eap.conf:
 
  eap {
   peap {
 use_tunneled_reply = yes
   }
  }
 
 ?

Yes, I have this in both the peap stanza and the ttls stanza.  This
seems to be fine when access is accepted, for example if I set a
Reply-Message saying Welcome in the post-auth section of the
inner-tunnel config, I see this in the final access-accept message.
Also, the output from freeradius -X suggests that (in the case of a user
rejection) it gets the reply from the tunnel and that tunneled
authentication is rejected, but immediately after that it sends an
Access-Challenge out, and then upon receipt of another Access-Request,
goes in to peap, figures it has already rejected this one, and finally
sends an Access-Reject, but without any Reply-Message I tried to set in
the inner-tunnel.  If I put something in the Post-Auth REJECT section of
the outer tunnel, it works, but unfortunately at this point it has no
idea of what it had previously set as a Reply-Message, so I can only
send an arbitrary string, such as Authentication Failure, which is a
little obvious and unhelpful.

Thanks
-- 

Martin GoldstoneKeele University, Keele,
IT Systems AdministratorStaffordshire, United Kingdom, ST5 5BG
Finance  ITTelephone: +44 1782 734457
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html