Windows Phone CA verification debugging

2013-09-16 Thread Mathieu Simon
Hi list

While I've been quite successful in making preconfigured profiles and docs
for our students on how to make proper proper wireless configuration, I'm
encountering some issues with those (yet quite rare) people with Windows
Phone  8 (WP8) systems.

WP8 devices are yet able to connect without (any) CA or common name
verification, but seem
to fail when I let them check the CA by choosing it from the device' CA
store. (As usual), the client-side error message is not helpful at all (it
fails to connect without any error message).

On the desktop side one can at least fire up 'netsh ras diagnostics' to
trace (P)EAP and CHAP during connection which can help figuring out at
least something. But on WP8, well there is no such thing that I've found.
Is there anyone on the FR list who already had to mangle a WP8 device?

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows Phone CA verification debugging

2013-09-16 Thread Mathieu Simon
Hi,

2013/9/16 a.l.m.bu...@lboro.ac.uk


 we've had no problems with self-signed CA or with 3rd party CA and standard
 RADIUS certificate BUT the certificate must have CRLDP (CRL distribution
 point)
 URL defined. that can either be at CA level or RADIUS level - or both.

 eg

 crlDistributionPoints = URI:http://yoururl.here/ca.crl

 in the server extensions.

Thank you Alan, at least good to hear someone is out there who got it
working.

Hmm the server certificate though seems  to contain a CRLDP. I'v tried
removing personal
and attach the openssl output at the end, maybe someone spots a problem...

Do you happen to have Subject Alternate Names or would you avoid it with
RADIUS?
(That certificate does have them) I know for example that some exotic or
(very old)
browsers for example can have problems with SAN, but yet didn't encounter
any with PEAP this far.

The file also contains (in order of appearance): Root CA cert, 1
intermediate CA, then the server cert if
that's of importance.

-- Mathieu

# openssl x509 -text -in /etc/freeradius/certs/myserver.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: snip!
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate
Signing, CN=StartCom Class 2 Primary Intermediate Server CA
Validity
Not Before: snip
Not After : snip
Subject: ..., C= ... snip
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: snip! (yes it's larger than 1024 bit) ;-)
Modulus:
snip

X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
C7:A3:52:3B:4A:15:BD:0E:40:B9:71:95:1B:71:27:57:4E:3D:13:73
X509v3 Authority Key Identifier:

keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86

X509v3 Subject Alternative Name:
DNS: snip!
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
Policy: 1.3.6.1.4.1.23223.1.2.3
  CPS: http://www.startssl.com/policy.pdf
  User Notice:
Organization: StartCom Certification Authority
Number: 1
Explicit Text: This certificate was issued according to
the Class 2 Validation requirements of the StartCom CA policy, reliance
only for the intended purpose in compliance of the relying party
obligations.

X509v3 CRL Distribution Points:

Full Name:
  URI:http://crl.startssl.com/crt2-crl.crl

Authority Information Access:
OCSP - URI:http://ocsp.startssl.com/sub/class2/server/ca
CA Issuers - URI:
http://aia.startssl.com/certs/sub.class2.server.ca.crt

X509v3 Issuer Alternative Name:
URI:http://www.startssl.com/
Signature Algorithm: sha1WithRSAEncryption
snip
-BEGIN CERTIFICATE-
snip
-END CERTIFICATE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-14 Thread Mathieu Simon
Hi

While I generally chime in with Alan's later message, one important you
should start reading about and differentiating
is Authentication and Authorization (the later is Accounting of AAA with
RADIUS).

While you can do Authorization using LDAP with AD, you can't do the
Authentication part using LDAP against AD.
Using Samba and ntlm_auth is the way to go, that due to to how AD stores
passwords.

Read deployingradius.com, specially the compatibility matrix and
Authentication Systems and Password Compatibility.

You may do LDAP load balancing on the authorization part, but ntlm_auth and
balancing / failover is done by Samba.
Otherwise if you want to go deeper, get a RADIUS book :-) I can confirm
that the initial curve may be a bit steep if you
haven't done any RADIUS before, but it's well worth since it gets you
better overall understanding  on AAA and RADIUS, that will
definitely help if something goes belly up.

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP + SSL + Certificate chains

2013-09-12 Thread Mathieu Simon
2013/9/12 Brian Julin bju...@clarku.edu


  Trevor Jennings wrote:

 [...]

  On OSX, the certificates are marked as valid, including the root,
 intermediate
  and server, but still prompts the user to accept. Is there a way around
 this?

 About the only way I can think of is to install a profile (.mobileconfig)
 which
 pre-approves the use of that certificate authority.

If you want to make things all nice and green-looking for your end-users
seek for
mobileconfig signing. TERENA has a good example how to do this for eduroam:
https://confluence.terena.org/display/tcs/Sign+Apple+mobileconfig+files

 Reason being, if you just
 accept any old certificate authority any compromised certificate will
 work, and
 on newer OSX/iOS the only way to check the certificate subject for the name
 of your RADIUS server.

And as you mention OS X, yes the same .mobileconfig for iOS will work for
OS X 10.7 onwards,
which was a quite nice thing in my environment to know.


 [...]





(Incidentally this is why many environments do not like having Android
 devices
 on their wireless LANs since they don't have any such native options
 accessible
 from the UI or even a decent way to distribute profiles.


At least from that side there is hope for improvements with Android 4.3
onwards there
are API calls for enterprise wireless configuration.

Maybe someone steps up by making an application that can manage profiles
or something like this.

 Heck they don't even fake it by making the first certificate they see
 sticky.

Worse... ;-)

It's up to the user to install the CA certificate on its own - even if that
is a public CA in the Android,
they can't select them otherwise (!) . At least then authentication stops
if you put up a server certificate
not signed by that specified CA.

The only open source provisioning tool for Android (that I believe didn't
get much traction) SU1X for Android,
made by Swansea University for eduroam.

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Intermediate SSL certificate

2013-08-26 Thread Mathieu Simon
Hi Matthew

2013/8/22 Matthew Ceroni matthewcer...@gmail.com


 I read that for FreeRadius just combine the cert with the intermediate
 cert into one file and then reference that in eap.conf:certificate_file.

 I have done that but clients are still failing certificate validation.


Honestly I also had some hassles with the certificate chain, now we
can configure clients to check both CA as well as certificate CN.

My experience was that I had to honor the certificate order and make sure
to not include
unused intermediate certificates. That is: Don't include a full CA bundle
from your CA stay
way below the 64k limit (
http://wiki.freeradius.org/guide/Certificate%20Compatibility)

I used OpenSSL to show both subject and issuer go through the chain of
trust starting with
the server certificate, which in my case was StartCom.
You'll need to know where you can download all root and intermediate roots
from your issuing CA.

openssl x509 -noout -in mysignedservercert.pem -subject -issuer
 subject= removed
 issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 2 Primary Intermediate Server CA

After getting the Class 2 Primary Intermediate Server CA:
$ openssl x509 -noout -in sub.class2.server.ca.pem -subject -issuer
 subject= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 2 Primary Intermediate Server CA
 issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority

And finally we're up in the chain:
$ openssl x509 -noout -in ca.pem -subject -issuer
 subject= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
 issuer= /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority

# Build the cert bundle for freeradius
cat mysignedservercert.pem  myservercert-roots-bundled.pem
cat sub.class2.server.ca.pem  myservercert-roots-bundled.pem
cat ca.pem  myservercert-roots-bundled.pem

This resulted in an 8k file while StartSSL's CA bundle is 124k.

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: authentication by hostname

2013-07-23 Thread Mathieu Simon
Hi

Could it be you are in a AD environment - your request looks like to what I
see in my environment.
If so: Domain-joined Windows machines (for what I have tested) have a
computer account in AD.
This can be used by the Windows (never tested with domain-joined Macs or
Linux machines)
client to authenticate as machine against the network (using PEAP-MSCHAPv2).
Technically you don't authenticate by hostnames but you use the computers'
AD account.

Another way would be to use EAP-TLS with certificates on your machines.

If you implement the Samba/winbind way as described by
deployingradius.comyou can in authenticate computer
accounts. - It required me to tweak the LDAP default config for group-based
authorization, but In case this is what you
are looking for, ping back and I can show you LDAP filters i use.

If you are only into authentication, most likely the public pages will
already let you in, but
(at least on Debian wheezy) I had tomodify modules/mschap  as follows:

mschap {

...
with_ntdomain_hack = yes
...
# Debian
# ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
# Mine (at least that made it work)
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
...
}

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to get vendor-specific attribute value pairs

2013-07-15 Thread Mathieu Simon
As a short update on this topic - I thought it might be worth sharing the
update
since I've been successfull in getting authorized via FR to privileged exec
mode
on a Netgear GSM7224P (F/W 1.0.1.21).

Netgear is based on Broadcom FASTPATH (MIBs tell so) - as do some Dell
PowerConnect's and fortunately both CLI and behaviour are very close - they
also behave quite similar to Cisco IOS CLI. Some documentation exists on
the net how to get SSH login working with PowerConnects but I've not found
real examples for Netgears.

I was successfully authorized to level 15 when I added a update reply
section sending either / or:
- Cisco-AVPair:= shell:priv-lvl=15
- Service-Type = Administrative-User

It worked with both messages, I've once read that some newer Dells started
preferring the
second, less Cisco-centric, message but with Netgear's (currently) latest
Firmware is seems
working with both.

On the switch I had to configure radius server address and auth lists
(actually Web UI have their own, httplist / httpslist) for
Console/Telnet/SSH
I also had to set following line to get privilege level 15: aaa
authorization exec default radius local *

That apparently was helping the switch to understand the message sent by
FreeRADIUS.
I'll have to clean up things a little but at least this seems to be working
now, not more clunky
shared $enab15$ user required :-)

-- Mathieu

* Which is similar to Cisco's 'aaa authorization exec default group radius
none' I found here - kudos to:
http://lists.freeradius.org/pipermail/freeradius-users/2008-July/029800.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP using different CA?

2013-07-11 Thread Mathieu Simon
Hi Fernando

2013/7/10 Fernando Hammerli fhamme...@puc-rio.br

  Got it now, as you said.

 Using the public CA certs on certificate_file (and related private key),
 and included the public CA
 chain on the CA_file (together with my own CA).

Yep mostly except that I put the private key not inside certificate_file
but seperately into
private_key_file (although the config says that you can put in the same
file.


 Still needs more testing (in more enviroments), but seems to be working.

Make sure to test with a variety of Devices/OS.
Windows (as it has shown to me and as the wiki says) is very picky while
Android I've seen simply ignore server certificate data and continue.

Make sure to not put a CA cert bundle  from your CA + your cert inside
certificate_file but only those certs used in the chain of trust so you
don't
get over 64k (see
http://wiki.freeradius.org/guide/Certificate%20Compatibility)

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to get vendor-specific attribute value pairs

2013-07-10 Thread Mathieu Simon
G'day list


I have been tinkering with some Netgear managed L2/L3 switching stuff  and
got the
login working via freeradius (actually quite simple compared to EAP stuff
for wireless).

But when issuing enable after login, going into what they call
Privileged EXEC mode
it will - very similar to Cisco - send a request for a user $enab15$ to the
radius server
when FR doesn't send Cisco own attribute value pair for privileges.

At leat defining such a user leads to working elevation to this privileged
mode
but requires it instead of using the network admin's own password.

In general a lot of commands on these Netgears are (very much) simiar to
Cisco IOS
where one can use shell:priv-lvl=15 avpair during authentication so the
Cisco switch/router
know privilege level of the logged in user and thus won't ask for a
$enab15$ user.

FreeRADIUS doesn't have a dictionnary for Netgear stuff yet, I don't think
Netgear
copied Cisco's own AVpair use, but in case they do have own AV pairs, how
do
you guys generally identify them?

Best regards
Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to get vendor-specific attribute value pairs

2013-07-10 Thread Mathieu Simon
G'day

2013/7/10 Arran Cudbard-Bell a.cudba...@freeradius.org


 On 10 Jul 2013, at 12:46, Mathieu Simon mathieu@gmail.com wrote:

  FreeRADIUS doesn't have a dictionnary for Netgear stuff yet, I don't
 think Netgear
  copied Cisco's own AVpair use, but in case they do have own AV pairs,
 how do
  you guys generally identify them?

 By asking Netgear.

 There's no way to query the NAS to determine which attributes it supports.
 Or to decode unknown VSAs into meaningful data. This is not a limitation
 of FreeRADIUS, but a limitation of the protocol.


Thank you Arran, that's what I suspected but hoped that there would be
another way to find out.
I'll see if Netgear is willing to approve existence of AV pairs (and if
theyre willing to share them).

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: PEAP using different CA?

2013-07-10 Thread Mathieu Simon
Hi

As a possible hint since your question sounds similar to an issue I had:

I was looking to provide a server-side certificate to my clients from a
public CA
but only allow clients to authenticate via EAP-TLS when presenting a cert
from our
internal CA which avoids the misconfiguration to trust any certificate
issued by the public CA.

Check the difference of CA_file (containing root CA cert of your internal
CA), but set server cert
(including cert chain) inside certificate_file.

(
http://lists.freeradius.org/pipermail/freeradius-users/2013-April/065990.html
)

Regards,
Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAP2 fails - samba version?

2013-07-08 Thread Mathieu Simon
Am 08.07.2013 16:30, schrieb Phil Mayers:
 On 08/07/13 14:59, Lovaas,Steven wrote:


 Exec-Program output: Reading winbind reply failed! (0xc001)

 Check the permissions on the winbind socket, which usually lives in
 either /var/cache/samba/winbindd_privileged or
 /var/lib/samba/winbindd_privileged
I guess Debian wheezy is mostly same as Ubuntu (|wher it is:
/var/run/samba/winbindd_privileged|).
I had to add the freeradius user to this privileged group using:

'sudo adduser freerad winbindd_priv' to make it work, I hope that helps.

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: inactive users can authenticate

2013-06-28 Thread Mathieu Simon
G'day all, and thanks Phil for your hints

(Arran I'd want to leave 3.0 as an option of last resort even though it's
considered RC by now) ;-)

 try moving mschap after LDAP in authorise
Tried this one, no change unfortunately.

Second, I can't remember if mschap checks the acct control flags in
authorize
 or authenticate. If the latter you'll need to move away from using LDAP
bind for auth
Hmm, I guess that would require me studying the code :-\

Anyway, I'm not entirely sure if I'm going to stay with this setup of this
Debian derivative since
it uses its own AD to local OpenLDAP replication and It didn't entirely
convince me
(too many replications and components talking to each other)

Best regards
Mathieu




2013/6/26 Phil Mayers p.may...@imperial.ac.uk

 Couple of things:

 IIRC the account control flags are checked by the mschap module, which I
 see is running before the LDAP lookup - try moving mschap after LDAP in
 authorise

 Second, I can't remember if mschap checks the acct control flags in
 authorize or authenticate. If the latter you'll need to move away from
 using LDAP bind for auth
 --
 Sent from my phone with, please excuse brevity and typos




-- 
Mathieu Simon
mathieu@gmail.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: inactive users can authenticate

2013-06-28 Thread Mathieu Simon
G'day all

I've taken out a configuration from a earlier prototype that I used with
Samba/Winbind authentication but didn't use the rlm_ldap for authorization
back then.  (Having some archives can be quite useful sometimes...) ;-)

Since ntlm_auth properly leads to Access-Rejects for disabled users I can
ignore
how good or how bad rlm_ldap behaves for disabled users as long as it
properly
checks for group memberships (that's what I'm interested in for LDAP checks)

And even if Arran points out the brokenness of rlm_ldap code in FR 2.x,
group-checks based
on rlm_ldap are working as expected - and thats what I'm required to get
working with this Setup.

Regarding...
 Since your testing auth request was PAP, mschap will never be
 called for this, so you're stuck basically.
The result was same when using radtest with -t mschap if that's what
you're pointing out.

I guess for the current time I'm going to stay with an ADS-joined Samba and
use LDAP
only for the authorization part. Summing up, I feel ending up with less
components taming
overall complexiness a bit.

Thank you guys for your Inputs!

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question on ldap module's base_filter

2013-05-06 Thread Mathieu Simon
G'day list

I've come across an issue with the ldap module parameter base_filter, and
I'm not yet sure whether
I'm hitting a bug (I guess: less likely) than I'm missing /
missunderstanding its correct use.

I'm running a Debian Squeeze derivative (Univention Corporate Server), FR
2.1.10 and OpenLDAP.
On squeeze base_filter come preconfigured as disabled (#base_filter =
(objectclass=radiusprofile)

Now my idea was to set base_filter = (sambaAcctFlags=[U  ]) to
only let user objects (that are not disabled) get authorized. This field is
present on user object so it would be great to have it used somehow.

The curious thing was that radtest I always get Access-Accept even when a
user has a the disabled flag (sambaAcctFlags=[UD ]).

This led me to check whether I can just set
base_filter=(notExisting=thisDoesntExist)
And the result also was: Access-Accept, so I guess base_filter isn't read
as I'd have expected it at first sigh :-\

When I launch freeradius in debug mode I can see a message base_filter =
(sambaAcctFlags=[U  ]) passing on the screen so I guess the value
at least is getting read.

Can you give me a clever hint where/what to look for?

Best regards
Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question on certificates before deep dive into EAP-TLS

2013-04-11 Thread Mathieu Simon
G'day

As a (hopefully) answer-able question to those experienced with EAP-TLS
that I've
been twisting my brain:

Usually I've seen example for EAP-TLS setups that used a server-side
certificate
issued from the same CA as the one it should allow EAP-TLS clients who
present
their certificate to FR.

Am I guessing correctly that CA_file can contain a different list of CA(s)
than the server certificate that is shown to the client? (Taken from
Debian's FR 2.1.12)

eap.conf:
  tls {
 [...]
 certificate_file = /etc/freeradius/ssl/cert.p

 #  Trusted Root CA list
 CA_file = /etc/univention/ssl/ucsCA/CAcert.pem
[...]

The real-life example would be that people could use PEAP-MSCHAPv2 for
credential-based logins (server certificate being signed by a trusted
external CA)
while some devices could login using EAP-TLS but only when they present
a certificate from an internal CA (that usually isn't being trusted by
devices
outside of control of IT department).

Best regards
Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Question on certificates before deep dive into EAP-TLS

2013-04-11 Thread Mathieu Simon
Hi

Am 11.04.2013 20:08, schrieb Alan DeKok:
 snip!
 The real-life example would be that people could use PEAP-MSCHAPv2 for
 credential-based logins (server certificate being signed by a trusted
 external CA)
   While that works, it's not recommended.  It means that the client will
 trust *any* certificate signed by that CA, for network access.

   It's usually a bad idea.
Correct, that for sure isn't what I'd want :-)

certificate_file - the server-side certificate - would contain the
certificate
(and it's trust chain) by the trusted CA.

CA_file would only contain the internal CA, such as that only those signed
by the one internal CA IT has control over it, would be accepted by FR.
(oh and I'd want to have a regularly up-to-date revocation list...)
 snip!

   You don't need one CA per EAP method.
Sure, I am only looking for the server-side certificate
(certificate_file) being
signed by a CA that most devices trust - since most of the users are
going to use
PEAP-MSCHAPv2 with devices not under direct controll of IT.

Telling students how to install a internal CA root isn't going to work,
it already
didn't work for teachers in the past ...

But allowing only (internal) devices with certs from the internal CA
through CA_file
would allow us to more easily integrate those non-personal but
school-owned devices.

I just hope I'm not telling complete bullshit... ;-)

Thank you Alan for your time to answer!

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: upgrading freeradius

2013-01-28 Thread Mathieu Simon
Am 27.01.2013 21:52, schrieb a.l.m.bu...@lboro.ac.uk:
 Hi,

 2.1.10 is the version delivered by your distribution - and contains
 backported security bugfixes released until 2.2.0. In terms of security,
 your version is fine.
 why? why do that? why not simple release 2.2.0 - you are CONFUSING your users
 and CONFUSING those people who support them.

 if it says 2.1.10 then one can only ASSUME that its 2.1.10
Yes, somewhat true, but that's how a couple of distribution consider
'stable' releases:
Stick with a version of a software and backport (bug and) security
updates to this version.
(and only update the version of a package at new distro release)

Enterprise distributions or commercial unix often do much heavier
backporting than
what Debian/Ubuntu do, just to deliver the very same version during the
period of time
the package is bundled with a release of their distro/software.

You have to outweight the advantages vs. disadvantages like breaking
support from
your distributor, in this case Canonical. But I agree that asking on
this list is likely yield
the answer upgrade first in case of problems.

A Ubuntu PPA can be a very good thing - but you have to trust a third party.
That said, I really like PPAs when the packagers do good work and care
about
updating the packages - thanks Fajar for maintaining this repository!

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: upgrading freeradius

2013-01-27 Thread Mathieu Simon
Hi

Am 27.01.2013 14:00, schrieb Tzvika Gelber:
 I have a working server running on version 2.1.10
 I just saw that there is version 2.2.0 and i would like to ask if an
 upgrade is a must
 and where can i fined the documentation about how to do such a thing?

 My FR us running on Ubuntu 12.04.
2.1.10 is the version delivered by your distribution - and contains
backported security bugfixes released until 2.2.0. In terms of security,
your version is fine.

You could move to 2.2.0, but that requires more work like:
- building from source
- look around for backported DEB packages (or build your own one)
- moving to a newer (non-LTS version) of Ubuntu (will give you 2.1.12
right now)

As long as you're not missing specific features or bugfixes only found
after 2.1.10 was released, you can safely stay on that version.

There are however circumstances where building from source gives the extra
flexibility and bleeding edge code for your special use case, but that's
not always
outweighing the invested time to build and maintain it on your own.

-- Mathieu


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: AD Authentication Permissions

2013-01-09 Thread Mathieu Simon
Hi Tyler

Since I'm in a similar situation with AD but still learning, just
general experience with other Applications from the *nix world authenticating
against AD:

2013/1/9 John Dennis jden...@redhat.com:
 On 01/09/2013 02:00 PM, Tyler Brady wrote:

 Can someone give more details on setting up LDAP groups? So far I have
 attempted to modify the users file and the ldap module. I can't seem to get
 the ldap module configured properly, but I'm sure that's just one of many
 issues.

 ldap {
 #
 #  Note that this needs to match the name in the LDAP
 #  server certificate, if you're using ldaps.
 server = ldap.your.domain
 #identity = cn=admin,o=My Org,c=UA
 #password = mypass
 basedn = o=My Org,c=UA
 filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
 #base_filter = (objectclass=radiusprofile)

 cn = username (is this correct)
 o= domain (is this correct)
 c= ?  (what does this field mean)

Your AD admin (you?) needs to create a basic user account, no domain admin
needed - who can read the parts of your AD/LDAP tree as John said.
(We maintain a couple of srv-* accounts here to quickly distinguis
between real user accounts)

You'll need the value of the distinguishedName attribute on AD,
your Admin can give you this value, but it's hidden by default in the GUI.*

For server= (don't know of recommended for FR too): You could point to
your.domainname, as this is a DNS record maintained by your AD-integrated
nameservers who will point to all addresses of your current DCs.

BaseDN - yeah, look up a little what it is, it's the base your FR will
start looking
up inside the LDAP tree.

Regards
Mathieu

* 
http://www.sharepointboost.com/blog/how-to-find-attributes-of-objects-in-active-directory/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: AD Authentication Permissions

2013-01-05 Thread Mathieu Simon
G'day all

2013/1/5 Alan DeKok al...@deployingradius.com:
[snip]

   Set up groups in LDAP.  See the LDAP / AD documentation.

   Then, in FreeRADIUS, check them:

 #-- users file
 DEFAULT LDAP-Group == foo, ...
 ...

 #---

(protest if this may sound like hijacking this thread...)
As short question since Tyler was asking for AD as backend - which I
have read (so far)
can't use the LDAP module since AD stores ntlm hashes - at least not
for authentication.

But then for LDAP groups how is that supposed to be done when using
Samba/Winbind/ntlm_auth?
Can I use LDAP groups for authorization (interestingly something I've
not really found covered online or in FreeRADIUS books I've had at
hand).

Best regards
Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: AD Authentication Permissions

2013-01-05 Thread Mathieu Simon
G'day Alan(s)

2013/1/5  a.l.m.bu...@lboro.ac.uk:
snip

 huh? this wasnt about authentication, it was about authorization - ie
 passing back details about what a user can do on some kit - that works fine
 100% fine with LDAP and AD

Thank you both for pointing in the correct directions by pointing me
back at authentication != authorization thing.
I'm messing around with configurations files - yes I agree to be a
beginner even after some time
wrestling with FreeRADIUS now. ;-)

The thing I did here in mytest env wasn't actually doing
authorization, but kind of authentication
restriction, via ntlm_auth's --require-membership-of parameter
during auhtentication phase.

Thanks you guys!

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html