Windows Phone CA verification debugging
Hi list While I've been quite successful in making preconfigured profiles and docs for our students on how to make proper proper wireless configuration, I'm encountering some issues with those (yet quite rare) people with Windows Phone 8 (WP8) systems. WP8 devices are yet able to connect without (any) CA or common name verification, but seem to fail when I let them check the CA by choosing it from the device' CA store. (As usual), the client-side error message is not helpful at all (it fails to connect without any error message). On the desktop side one can at least fire up 'netsh ras diagnostics' to trace (P)EAP and CHAP during connection which can help figuring out at least something. But on WP8, well there is no such thing that I've found. Is there anyone on the FR list who already had to mangle a WP8 device? -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows Phone CA verification debugging
Hi, 2013/9/16 a.l.m.bu...@lboro.ac.uk we've had no problems with self-signed CA or with 3rd party CA and standard RADIUS certificate BUT the certificate must have CRLDP (CRL distribution point) URL defined. that can either be at CA level or RADIUS level - or both. eg crlDistributionPoints = URI:http://yoururl.here/ca.crl in the server extensions. Thank you Alan, at least good to hear someone is out there who got it working. Hmm the server certificate though seems to contain a CRLDP. I'v tried removing personal and attach the openssl output at the end, maybe someone spots a problem... Do you happen to have Subject Alternate Names or would you avoid it with RADIUS? (That certificate does have them) I know for example that some exotic or (very old) browsers for example can have problems with SAN, but yet didn't encounter any with PEAP this far. The file also contains (in order of appearance): Root CA cert, 1 intermediate CA, then the server cert if that's of importance. -- Mathieu # openssl x509 -text -in /etc/freeradius/certs/myserver.pem Certificate: Data: Version: 3 (0x2) Serial Number: snip! Signature Algorithm: sha1WithRSAEncryption Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA Validity Not Before: snip Not After : snip Subject: ..., C= ... snip Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: snip! (yes it's larger than 1024 bit) ;-) Modulus: snip X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Key Identifier: C7:A3:52:3B:4A:15:BD:0E:40:B9:71:95:1B:71:27:57:4E:3D:13:73 X509v3 Authority Key Identifier: keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86 X509v3 Subject Alternative Name: DNS: snip! X509v3 Certificate Policies: Policy: 2.23.140.1.2.2 Policy: 1.3.6.1.4.1.23223.1.2.3 CPS: http://www.startssl.com/policy.pdf User Notice: Organization: StartCom Certification Authority Number: 1 Explicit Text: This certificate was issued according to the Class 2 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations. X509v3 CRL Distribution Points: Full Name: URI:http://crl.startssl.com/crt2-crl.crl Authority Information Access: OCSP - URI:http://ocsp.startssl.com/sub/class2/server/ca CA Issuers - URI: http://aia.startssl.com/certs/sub.class2.server.ca.crt X509v3 Issuer Alternative Name: URI:http://www.startssl.com/ Signature Algorithm: sha1WithRSAEncryption snip -BEGIN CERTIFICATE- snip -END CERTIFICATE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Hi While I generally chime in with Alan's later message, one important you should start reading about and differentiating is Authentication and Authorization (the later is Accounting of AAA with RADIUS). While you can do Authorization using LDAP with AD, you can't do the Authentication part using LDAP against AD. Using Samba and ntlm_auth is the way to go, that due to to how AD stores passwords. Read deployingradius.com, specially the compatibility matrix and Authentication Systems and Password Compatibility. You may do LDAP load balancing on the authorization part, but ntlm_auth and balancing / failover is done by Samba. Otherwise if you want to go deeper, get a RADIUS book :-) I can confirm that the initial curve may be a bit steep if you haven't done any RADIUS before, but it's well worth since it gets you better overall understanding on AAA and RADIUS, that will definitely help if something goes belly up. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP + SSL + Certificate chains
2013/9/12 Brian Julin bju...@clarku.edu Trevor Jennings wrote: [...] On OSX, the certificates are marked as valid, including the root, intermediate and server, but still prompts the user to accept. Is there a way around this? About the only way I can think of is to install a profile (.mobileconfig) which pre-approves the use of that certificate authority. If you want to make things all nice and green-looking for your end-users seek for mobileconfig signing. TERENA has a good example how to do this for eduroam: https://confluence.terena.org/display/tcs/Sign+Apple+mobileconfig+files Reason being, if you just accept any old certificate authority any compromised certificate will work, and on newer OSX/iOS the only way to check the certificate subject for the name of your RADIUS server. And as you mention OS X, yes the same .mobileconfig for iOS will work for OS X 10.7 onwards, which was a quite nice thing in my environment to know. [...] (Incidentally this is why many environments do not like having Android devices on their wireless LANs since they don't have any such native options accessible from the UI or even a decent way to distribute profiles. At least from that side there is hope for improvements with Android 4.3 onwards there are API calls for enterprise wireless configuration. Maybe someone steps up by making an application that can manage profiles or something like this. Heck they don't even fake it by making the first certificate they see sticky. Worse... ;-) It's up to the user to install the CA certificate on its own - even if that is a public CA in the Android, they can't select them otherwise (!) . At least then authentication stops if you put up a server certificate not signed by that specified CA. The only open source provisioning tool for Android (that I believe didn't get much traction) SU1X for Android, made by Swansea University for eduroam. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Intermediate SSL certificate
Hi Matthew 2013/8/22 Matthew Ceroni matthewcer...@gmail.com I read that for FreeRadius just combine the cert with the intermediate cert into one file and then reference that in eap.conf:certificate_file. I have done that but clients are still failing certificate validation. Honestly I also had some hassles with the certificate chain, now we can configure clients to check both CA as well as certificate CN. My experience was that I had to honor the certificate order and make sure to not include unused intermediate certificates. That is: Don't include a full CA bundle from your CA stay way below the 64k limit ( http://wiki.freeradius.org/guide/Certificate%20Compatibility) I used OpenSSL to show both subject and issuer go through the chain of trust starting with the server certificate, which in my case was StartCom. You'll need to know where you can download all root and intermediate roots from your issuing CA. openssl x509 -noout -in mysignedservercert.pem -subject -issuer subject= removed issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA After getting the Class 2 Primary Intermediate Server CA: $ openssl x509 -noout -in sub.class2.server.ca.pem -subject -issuer subject= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority And finally we're up in the chain: $ openssl x509 -noout -in ca.pem -subject -issuer subject= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority # Build the cert bundle for freeradius cat mysignedservercert.pem myservercert-roots-bundled.pem cat sub.class2.server.ca.pem myservercert-roots-bundled.pem cat ca.pem myservercert-roots-bundled.pem This resulted in an 8k file while StartSSL's CA bundle is 124k. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: authentication by hostname
Hi Could it be you are in a AD environment - your request looks like to what I see in my environment. If so: Domain-joined Windows machines (for what I have tested) have a computer account in AD. This can be used by the Windows (never tested with domain-joined Macs or Linux machines) client to authenticate as machine against the network (using PEAP-MSCHAPv2). Technically you don't authenticate by hostnames but you use the computers' AD account. Another way would be to use EAP-TLS with certificates on your machines. If you implement the Samba/winbind way as described by deployingradius.comyou can in authenticate computer accounts. - It required me to tweak the LDAP default config for group-based authorization, but In case this is what you are looking for, ping back and I can show you LDAP filters i use. If you are only into authentication, most likely the public pages will already let you in, but (at least on Debian wheezy) I had tomodify modules/mschap as follows: mschap { ... with_ntdomain_hack = yes ... # Debian # ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} # Mine (at least that made it work) ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} ... } -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get vendor-specific attribute value pairs
As a short update on this topic - I thought it might be worth sharing the update since I've been successfull in getting authorized via FR to privileged exec mode on a Netgear GSM7224P (F/W 1.0.1.21). Netgear is based on Broadcom FASTPATH (MIBs tell so) - as do some Dell PowerConnect's and fortunately both CLI and behaviour are very close - they also behave quite similar to Cisco IOS CLI. Some documentation exists on the net how to get SSH login working with PowerConnects but I've not found real examples for Netgears. I was successfully authorized to level 15 when I added a update reply section sending either / or: - Cisco-AVPair:= shell:priv-lvl=15 - Service-Type = Administrative-User It worked with both messages, I've once read that some newer Dells started preferring the second, less Cisco-centric, message but with Netgear's (currently) latest Firmware is seems working with both. On the switch I had to configure radius server address and auth lists (actually Web UI have their own, httplist / httpslist) for Console/Telnet/SSH I also had to set following line to get privilege level 15: aaa authorization exec default radius local * That apparently was helping the switch to understand the message sent by FreeRADIUS. I'll have to clean up things a little but at least this seems to be working now, not more clunky shared $enab15$ user required :-) -- Mathieu * Which is similar to Cisco's 'aaa authorization exec default group radius none' I found here - kudos to: http://lists.freeradius.org/pipermail/freeradius-users/2008-July/029800.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
Hi Fernando 2013/7/10 Fernando Hammerli fhamme...@puc-rio.br Got it now, as you said. Using the public CA certs on certificate_file (and related private key), and included the public CA chain on the CA_file (together with my own CA). Yep mostly except that I put the private key not inside certificate_file but seperately into private_key_file (although the config says that you can put in the same file. Still needs more testing (in more enviroments), but seems to be working. Make sure to test with a variety of Devices/OS. Windows (as it has shown to me and as the wiki says) is very picky while Android I've seen simply ignore server certificate data and continue. Make sure to not put a CA cert bundle from your CA + your cert inside certificate_file but only those certs used in the chain of trust so you don't get over 64k (see http://wiki.freeradius.org/guide/Certificate%20Compatibility) -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to get vendor-specific attribute value pairs
G'day list I have been tinkering with some Netgear managed L2/L3 switching stuff and got the login working via freeradius (actually quite simple compared to EAP stuff for wireless). But when issuing enable after login, going into what they call Privileged EXEC mode it will - very similar to Cisco - send a request for a user $enab15$ to the radius server when FR doesn't send Cisco own attribute value pair for privileges. At leat defining such a user leads to working elevation to this privileged mode but requires it instead of using the network admin's own password. In general a lot of commands on these Netgears are (very much) simiar to Cisco IOS where one can use shell:priv-lvl=15 avpair during authentication so the Cisco switch/router know privilege level of the logged in user and thus won't ask for a $enab15$ user. FreeRADIUS doesn't have a dictionnary for Netgear stuff yet, I don't think Netgear copied Cisco's own AVpair use, but in case they do have own AV pairs, how do you guys generally identify them? Best regards Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to get vendor-specific attribute value pairs
G'day 2013/7/10 Arran Cudbard-Bell a.cudba...@freeradius.org On 10 Jul 2013, at 12:46, Mathieu Simon mathieu@gmail.com wrote: FreeRADIUS doesn't have a dictionnary for Netgear stuff yet, I don't think Netgear copied Cisco's own AVpair use, but in case they do have own AV pairs, how do you guys generally identify them? By asking Netgear. There's no way to query the NAS to determine which attributes it supports. Or to decode unknown VSAs into meaningful data. This is not a limitation of FreeRADIUS, but a limitation of the protocol. Thank you Arran, that's what I suspected but hoped that there would be another way to find out. I'll see if Netgear is willing to approve existence of AV pairs (and if theyre willing to share them). -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP using different CA?
Hi As a possible hint since your question sounds similar to an issue I had: I was looking to provide a server-side certificate to my clients from a public CA but only allow clients to authenticate via EAP-TLS when presenting a cert from our internal CA which avoids the misconfiguration to trust any certificate issued by the public CA. Check the difference of CA_file (containing root CA cert of your internal CA), but set server cert (including cert chain) inside certificate_file. ( http://lists.freeradius.org/pipermail/freeradius-users/2013-April/065990.html ) Regards, Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP2 fails - samba version?
Am 08.07.2013 16:30, schrieb Phil Mayers: On 08/07/13 14:59, Lovaas,Steven wrote: Exec-Program output: Reading winbind reply failed! (0xc001) Check the permissions on the winbind socket, which usually lives in either /var/cache/samba/winbindd_privileged or /var/lib/samba/winbindd_privileged I guess Debian wheezy is mostly same as Ubuntu (|wher it is: /var/run/samba/winbindd_privileged|). I had to add the freeradius user to this privileged group using: 'sudo adduser freerad winbindd_priv' to make it work, I hope that helps. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inactive users can authenticate
G'day all, and thanks Phil for your hints (Arran I'd want to leave 3.0 as an option of last resort even though it's considered RC by now) ;-) try moving mschap after LDAP in authorise Tried this one, no change unfortunately. Second, I can't remember if mschap checks the acct control flags in authorize or authenticate. If the latter you'll need to move away from using LDAP bind for auth Hmm, I guess that would require me studying the code :-\ Anyway, I'm not entirely sure if I'm going to stay with this setup of this Debian derivative since it uses its own AD to local OpenLDAP replication and It didn't entirely convince me (too many replications and components talking to each other) Best regards Mathieu 2013/6/26 Phil Mayers p.may...@imperial.ac.uk Couple of things: IIRC the account control flags are checked by the mschap module, which I see is running before the LDAP lookup - try moving mschap after LDAP in authorise Second, I can't remember if mschap checks the acct control flags in authorize or authenticate. If the latter you'll need to move away from using LDAP bind for auth -- Sent from my phone with, please excuse brevity and typos -- Mathieu Simon mathieu@gmail.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: inactive users can authenticate
G'day all I've taken out a configuration from a earlier prototype that I used with Samba/Winbind authentication but didn't use the rlm_ldap for authorization back then. (Having some archives can be quite useful sometimes...) ;-) Since ntlm_auth properly leads to Access-Rejects for disabled users I can ignore how good or how bad rlm_ldap behaves for disabled users as long as it properly checks for group memberships (that's what I'm interested in for LDAP checks) And even if Arran points out the brokenness of rlm_ldap code in FR 2.x, group-checks based on rlm_ldap are working as expected - and thats what I'm required to get working with this Setup. Regarding... Since your testing auth request was PAP, mschap will never be called for this, so you're stuck basically. The result was same when using radtest with -t mschap if that's what you're pointing out. I guess for the current time I'm going to stay with an ADS-joined Samba and use LDAP only for the authorization part. Summing up, I feel ending up with less components taming overall complexiness a bit. Thank you guys for your Inputs! -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on ldap module's base_filter
G'day list I've come across an issue with the ldap module parameter base_filter, and I'm not yet sure whether I'm hitting a bug (I guess: less likely) than I'm missing / missunderstanding its correct use. I'm running a Debian Squeeze derivative (Univention Corporate Server), FR 2.1.10 and OpenLDAP. On squeeze base_filter come preconfigured as disabled (#base_filter = (objectclass=radiusprofile) Now my idea was to set base_filter = (sambaAcctFlags=[U ]) to only let user objects (that are not disabled) get authorized. This field is present on user object so it would be great to have it used somehow. The curious thing was that radtest I always get Access-Accept even when a user has a the disabled flag (sambaAcctFlags=[UD ]). This led me to check whether I can just set base_filter=(notExisting=thisDoesntExist) And the result also was: Access-Accept, so I guess base_filter isn't read as I'd have expected it at first sigh :-\ When I launch freeradius in debug mode I can see a message base_filter = (sambaAcctFlags=[U ]) passing on the screen so I guess the value at least is getting read. Can you give me a clever hint where/what to look for? Best regards Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on certificates before deep dive into EAP-TLS
G'day As a (hopefully) answer-able question to those experienced with EAP-TLS that I've been twisting my brain: Usually I've seen example for EAP-TLS setups that used a server-side certificate issued from the same CA as the one it should allow EAP-TLS clients who present their certificate to FR. Am I guessing correctly that CA_file can contain a different list of CA(s) than the server certificate that is shown to the client? (Taken from Debian's FR 2.1.12) eap.conf: tls { [...] certificate_file = /etc/freeradius/ssl/cert.p # Trusted Root CA list CA_file = /etc/univention/ssl/ucsCA/CAcert.pem [...] The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a trusted external CA) while some devices could login using EAP-TLS but only when they present a certificate from an internal CA (that usually isn't being trusted by devices outside of control of IT department). Best regards Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on certificates before deep dive into EAP-TLS
Hi Am 11.04.2013 20:08, schrieb Alan DeKok: snip! The real-life example would be that people could use PEAP-MSCHAPv2 for credential-based logins (server certificate being signed by a trusted external CA) While that works, it's not recommended. It means that the client will trust *any* certificate signed by that CA, for network access. It's usually a bad idea. Correct, that for sure isn't what I'd want :-) certificate_file - the server-side certificate - would contain the certificate (and it's trust chain) by the trusted CA. CA_file would only contain the internal CA, such as that only those signed by the one internal CA IT has control over it, would be accepted by FR. (oh and I'd want to have a regularly up-to-date revocation list...) snip! You don't need one CA per EAP method. Sure, I am only looking for the server-side certificate (certificate_file) being signed by a CA that most devices trust - since most of the users are going to use PEAP-MSCHAPv2 with devices not under direct controll of IT. Telling students how to install a internal CA root isn't going to work, it already didn't work for teachers in the past ... But allowing only (internal) devices with certs from the internal CA through CA_file would allow us to more easily integrate those non-personal but school-owned devices. I just hope I'm not telling complete bullshit... ;-) Thank you Alan for your time to answer! -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: upgrading freeradius
Am 27.01.2013 21:52, schrieb a.l.m.bu...@lboro.ac.uk: Hi, 2.1.10 is the version delivered by your distribution - and contains backported security bugfixes released until 2.2.0. In terms of security, your version is fine. why? why do that? why not simple release 2.2.0 - you are CONFUSING your users and CONFUSING those people who support them. if it says 2.1.10 then one can only ASSUME that its 2.1.10 Yes, somewhat true, but that's how a couple of distribution consider 'stable' releases: Stick with a version of a software and backport (bug and) security updates to this version. (and only update the version of a package at new distro release) Enterprise distributions or commercial unix often do much heavier backporting than what Debian/Ubuntu do, just to deliver the very same version during the period of time the package is bundled with a release of their distro/software. You have to outweight the advantages vs. disadvantages like breaking support from your distributor, in this case Canonical. But I agree that asking on this list is likely yield the answer upgrade first in case of problems. A Ubuntu PPA can be a very good thing - but you have to trust a third party. That said, I really like PPAs when the packagers do good work and care about updating the packages - thanks Fajar for maintaining this repository! -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: upgrading freeradius
Hi Am 27.01.2013 14:00, schrieb Tzvika Gelber: I have a working server running on version 2.1.10 I just saw that there is version 2.2.0 and i would like to ask if an upgrade is a must and where can i fined the documentation about how to do such a thing? My FR us running on Ubuntu 12.04. 2.1.10 is the version delivered by your distribution - and contains backported security bugfixes released until 2.2.0. In terms of security, your version is fine. You could move to 2.2.0, but that requires more work like: - building from source - look around for backported DEB packages (or build your own one) - moving to a newer (non-LTS version) of Ubuntu (will give you 2.1.12 right now) As long as you're not missing specific features or bugfixes only found after 2.1.10 was released, you can safely stay on that version. There are however circumstances where building from source gives the extra flexibility and bleeding edge code for your special use case, but that's not always outweighing the invested time to build and maintain it on your own. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication Permissions
Hi Tyler Since I'm in a similar situation with AD but still learning, just general experience with other Applications from the *nix world authenticating against AD: 2013/1/9 John Dennis jden...@redhat.com: On 01/09/2013 02:00 PM, Tyler Brady wrote: Can someone give more details on setting up LDAP groups? So far I have attempted to modify the users file and the ldap module. I can't seem to get the ldap module configured properly, but I'm sure that's just one of many issues. ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = ldap.your.domain #identity = cn=admin,o=My Org,c=UA #password = mypass basedn = o=My Org,c=UA filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) #base_filter = (objectclass=radiusprofile) cn = username (is this correct) o= domain (is this correct) c= ? (what does this field mean) Your AD admin (you?) needs to create a basic user account, no domain admin needed - who can read the parts of your AD/LDAP tree as John said. (We maintain a couple of srv-* accounts here to quickly distinguis between real user accounts) You'll need the value of the distinguishedName attribute on AD, your Admin can give you this value, but it's hidden by default in the GUI.* For server= (don't know of recommended for FR too): You could point to your.domainname, as this is a DNS record maintained by your AD-integrated nameservers who will point to all addresses of your current DCs. BaseDN - yeah, look up a little what it is, it's the base your FR will start looking up inside the LDAP tree. Regards Mathieu * http://www.sharepointboost.com/blog/how-to-find-attributes-of-objects-in-active-directory/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication Permissions
G'day all 2013/1/5 Alan DeKok al...@deployingradius.com: [snip] Set up groups in LDAP. See the LDAP / AD documentation. Then, in FreeRADIUS, check them: #-- users file DEFAULT LDAP-Group == foo, ... ... #--- (protest if this may sound like hijacking this thread...) As short question since Tyler was asking for AD as backend - which I have read (so far) can't use the LDAP module since AD stores ntlm hashes - at least not for authentication. But then for LDAP groups how is that supposed to be done when using Samba/Winbind/ntlm_auth? Can I use LDAP groups for authorization (interestingly something I've not really found covered online or in FreeRADIUS books I've had at hand). Best regards Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication Permissions
G'day Alan(s) 2013/1/5 a.l.m.bu...@lboro.ac.uk: snip huh? this wasnt about authentication, it was about authorization - ie passing back details about what a user can do on some kit - that works fine 100% fine with LDAP and AD Thank you both for pointing in the correct directions by pointing me back at authentication != authorization thing. I'm messing around with configurations files - yes I agree to be a beginner even after some time wrestling with FreeRADIUS now. ;-) The thing I did here in mytest env wasn't actually doing authorization, but kind of authentication restriction, via ntlm_auth's --require-membership-of parameter during auhtentication phase. Thanks you guys! -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html