RE: How do I set up simple AD integration?
From: "Burton, Steven" <[EMAIL PROTECTED]>>I'd seen that. What I was trying to do (unsuccessfully 'cos I'm ignorant) was to try to find out what triggers ntlm_auth to run. Is there something in another file that sets this up?Your authorise and authenticate sections define what modules are called. Ergo, if you don't have a LDAP call in both, it doesn't do the authorise (can the user dial up?) or authenicate (are the credentials right). I've got a sanitised set on config I can send you, you don't need to do all that "nt_hack" skull hackery, mine is working pretty much OK out of the box with 2 config changes.Stephen Walsh[EMAIL PROTECTED]Client Support Officer (Technology)Australian Catholic University (Limited)PO Box 256, Dickson ACT 2602Phone: +61 2 6209 1133Fax: +61 2 6209 1179Mobile: +61 419 496796+CRICOS Registration: 4G, 00112C, 00873F, 00885B ABN 15 050 192 660 + [EMAIL PROTECTED]Sent by: [EMAIL PROTECTED] 12/04/2006 10:30 AM ZE2 Please respond to freeradius-users@lists.freeradius.org To freeradius-users@lists.freeradius.org cc bcc Subject Freeradius-Users Digest, Vol 12, Issue 49 Send Freeradius-Users mailing list submissions tofreeradius-users@lists.freeradius.orgTo subscribe or unsubscribe via the World Wide Web, visithttp://lists.freeradius.org/mailman/listinfo/freeradius-usersor, via email, send a message with subject or body 'help' to[EMAIL PROTECTED]You can reach the person managing the list at[EMAIL PROTECTED]When replying, please edit your Subject line so it is more specificthan "Re: Contents of Freeradius-Users digest..."Today's Topics: 1. group definitions in users file (ho)2. Help, Chap problem ([EMAIL PROTECTED])3. Re: group definitions in users file (Alan DeKok)4. Regarding VLAN (radhika putty)5. pam_radius_auth token user (Josh Restivo)6. RE: How do I set up simple AD integration? (Burton, Steven)7. different gateway for different users (Felice.pizzurro)8. Accessing REQUEST structure data outside FreeRADIUS module(Nicolas Castel)9. Accessing REQUEST structure data outside FreeRADIUS module (Nicolas Castel)--Message: 1Date: Tue, 11 Apr 2006 21:56:57 +0200From: "ho" <[EMAIL PROTECTED]>Subject: group definitions in users fileTo: "FreeRadius users mailing list"Message-ID: <[EMAIL PROTECTED]>Content-Type: text/plain; format=flowed; charset="iso-8859-1";reply-type=originalHi folks,my environment:I do AAA with freeradius as a radius-proxy in combination with ms-ias (onlyfor the passwords ;-) )for cisco asa 5540-box, which is similar to a ciscopix firewall.in the future we have many, many entries for users with the sameCisco-AVPairsUSER1 Proxy-To-Realm := IASService-Type = Framed-User,Framed-Protocoll = PPP,Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq domain",Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq domain",Cisco-AVPair += "ip:inacl# = permit tcp any host A.B.C.D eq 264",Cisco-AVPair += "ip:inacl# = permit tcp any host A.B.C.D eq 443",Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq isakmp",Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq 2746",Cisco-AVPair += "ip:inacl# = permit esp any host A.B.C.D",Cisco-AVPair += "ip:inacl# = deny tcp any any",Cisco-AVPair += "ip:inacl# = deny udp any any",Fall-Through = 0Is it possible to group the User entries and than give them the specialprofile with the AVPairs?If not, what could be another good workaround for this problem?thanksmarco--Message: 2Date: Tue, 11 Apr 2006 16:06:07 -0400From: [EMAIL PROTECTED]Subject: Help, Chap problemTo: freeradius-users@lists.freeradius.orgMessage-ID: <[EMAIL PROTECTED]>Content-Type: text/plain; charset="ISO-8859-15"Hello:I have this problem, i get this message in the log:"Tue Apr 11 14:43:18 2006 : Auth: Login incorrect (rlm_chap: Clear textpassword not available): [adexus/] (from client 3com port268443649 cli 0010-a484-6e7a)"I set the users file as follow:adexus Auth-Type := CHAP, User-Password == "adexus"i configure the windows 2000 802.1x client how:EAP type: MD5 challengeAny ideaSaludosFrancisco Lagos--Message: 3Date: Tue, 11 Apr 2006 16:46:15 -0400From: "Alan DeKok" <[EMAIL PROTECTED]>Subject: Re: group definitions in users fileTo: FreeRadius users mailing listMessage-ID: <[EMAIL PROTECTED]>"ho" <[EMAIL PROTECTED]> wrote:> Is it possible to group the User entries and than give them the special> profile with the AVPairs?Yes. You can use Unix groups for this, or create your own groups.See "man rlm_passwd" for an example of creating groups. Alan DeKok.--Message: 4Date: Tue, 11 Apr 2006 20:57:53 -0700 (PDT)From: radhika putty <[EMAIL PROTECTED]>Subject: Regarding VLANTo: freeradius-users@lists.freeradius.orgMessage-ID: <[EMAIL PROTECTED]>Content-Type: text/plain; charset="iso-8859-1"Hi I tri
Re: Cert Generation Script
Hi Alan
Sorry for taking so long to get back to you, the site was using an old
version of the script. Please feel free to include cacert into the CVS
tree. Let me know if you need anything more from me. (I am working a README
for those who can't read Bash)
Stephen Walsh
[EMAIL PROTECTED]
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+
CRICOS Registration: 4G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+
"Alan DeKok"
<[EMAIL PROTECTED]>
Sent by: To
[EMAIL PROTECTED] FreeRadius users mailing list
<[EMAIL PROTECTED]
org>
07/03/2006 06:12 cc
AM Stephen Walsh
<[EMAIL PROTECTED]>
Subject
Re: Cert Generation Script
Stephen Walsh <[EMAIL PROTECTED]> wrote:
> Apologies if this is off-topic, but for those that may need it, I've
> written a small bash script (called cascript) to extend the certificate
> generation script supplied with FR (CA.all). It was written as part of
the
> EDUROAM project in Australia (http://www.eduroam.edu.au) and can be
> downloaded from http://www.eduroam.edu.au/tech.index.html
Any objections to adding these to CVS?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cert Generation Script
Apologies if this is off-topic, but for those that may need it, I've written a small bash script (called cascript) to extend the certificate generation script supplied with FR (CA.all). It was written as part of the EDUROAM project in Australia (http://www.eduroam.edu.au) and can be downloaded from http://www.eduroam.edu.au/tech.index.html Please feel free to test it and let me know (off list, of course) if you have any problems with it. many thanks Stephen Walsh [EMAIL PROTECTED] Client Support Officer (Technology) Australian Catholic University (Limited) PO Box 256, Dickson ACT 2602 Phone: +61 2 6209 1133 Fax: +61 2 6209 1179 Mobile: +61 419 496796 + CRICOS Registration: 4G, 00112C, 00873F, 00885B ABN 15 050 192 660 + - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
realm based proxy not working
Hi Folks
I'm trying to get my Radius server handling requests for other realms now,
and have been unsuccessful in the process. Despite my best efforts, the
radius server ignores that the login realm is incorrect and attempts to
authenticate the user against my LDAP tree.
startup with debug shows it's being loaded;
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
Proxy.conf has;
realm DEFAULT {
type= radius
authhost= xx.xx.xx.xx:1812
accthost= xx.xx.xx.xx.4:1813
secret =
nostrip
}
realm DEFAULT {
type= radius
authhost= yy.yy.yy.yy:1812
accthost= yy.yy.yy.yy:1813
secret =
nostrip
}
realm acu.edu.au {
type= radius
authhost= LOCAL
accthost= LOCAL
strip
}
Radiusd.conf has
# PROXY CONFIGURATION
#
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
#realm module
'[EMAIL PROTECTED]'
#
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = yes
}
authorize {
preprocess
suffix
auth_log
eap
ldap1
ldap2
ldap3
ldap4
ldap5
ldap6
ldap7
}
The logon is reaching the radius server with the correct realm, can anyone
shed any light on this behaviour?
I've tried it with our local domain both above and below the default
entries, but without luck.
Stephen Walsh
[EMAIL PROTECTED]
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+
CRICOS Registration: 4G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap.conf configuration
>Please, could you be more accurate When you create the private key file(pem file), you are asked to provide a passphrase that can be used to decode the File. The Passphrase is a key to allow you to confirm the validity of the private key file (pem file). Stephen Walsh [EMAIL PROTECTED] Client Support Officer (Technology) Australian Catholic University (Limited) PO Box 256, Dickson ACT 2602 Phone: +61 2 6209 1133 Fax: +61 2 6209 1179 Mobile: +61 419 496796 + CRICOS Registration: 4G, 00112C, 00873F, 00885B ABN 15 050 192 660 + - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Configuring free radius to use Active directory service
>1. How to configure the freeradius1.0.5
version, to support Active
>directory service for user authentication.
> For ldap .. we have rlm_ldap module to configure it.
Same kind of
>configuration is there for ADS also ??
Sumithra;
that part is quite easy. Here's what I've just done;
ldap {
server = ""
identity = "
password = "
basedn = "highest part of tree to start
searching from"
filter = "(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
authorize {
preprocess
suffix
auth_log
ldap
}
authenticate {
Auth-Type
PAP {
pap
}
Auth-Type
LDAP {
ldap
}
}
If you're wanting to search multiple trees, that's
another matter, but that should get you started.
See my earlier post about problems with W2k3 trees and their behaviour
with searches.
VLAN's I'll leave to someone who understands that
part of FR better.
Regards
Stephen Walsh
[EMAIL PROTECTED]
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+
CRICOS Registration: 4G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap bind works with 1.01, fails with 1.04
> I have no idea. I've looked, and can't see anything that would
>affect that.
>
> Alan DeKok.
Hi Alan
Thanks for the reply. We ended up reverting the production box to FC3 and
1.01, only to have it fail with the same error!
I've since written a ldap module for each student campus/ou specifying it
down to ou to search in.
ldap Canberra {
basedn = "ou=students,ou=users,ou=signadou,dc=student(etc)"
}
and then added an entry for each in Authorize and Authenicate.
Why my test box with FC3/1.01 works and nothing else does is beyond me, but
this clunky option seems to work. It may be of interest to note that our
Student tree is native w2k3, while our staff tree is w2k.
I also found an entry on a forum that referred to having to change the
hueristic search value on the AD DC, I've pasted it below in the hope it
may help someone in the future with the same problem.
dmeehan at flcancer dot com
12-Aug-2004 04:26
If your having problems running LDAP searches on the base DC against Active
Directory 2k3, you need to set dsHeuristics to 002 in Active Directory.
This allows searches to function similar to how they did in Active
Directory 2k2. You can update dsHeuristics by launching ldp.exe goto
'connection' and create a new connection. Then goto bind and bind to your
ldap server. Next select the 'Browse' menu and choose 'modify'. The DN
*might* look like this:
CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=mycompany,DC=com
Attribute is: dsHeuristics
Value is: 002
Set the operation to replace and you should be set.
This solves the 'Operations error' error that happens when attempting to
search without specifying an OU.
-d
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap bind works with 1.01, fails with 1.04
Alan;
I've tested it further and you are right, the search isn't recursively
entering the tree. What in the search changed between 1.01 (which works)
and 1.04 (which returns errors when trying to enter the OU's)? If is
possible to revert to the 1.01 search under 1.04?
many thanks
Stephen Walsh
[EMAIL PROTECTED]
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+
CRICOS Registration: 4G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+
"Alan DeKok"
<[EMAIL PROTECTED]>
Sent by: To
freeradius-users- FreeRadius users mailing list
bounces+s.walsh=s <[EMAIL PROTECTED]
ignadou.acu.edu.a org>
[EMAIL PROTECTED] cc
s.org
Subject
Re: AD ldap bind works with 1.01,
25/01/2006 04:16 fails with 1.04
AM
Please respond to
FreeRadius users
mailing list
Stephen Walsh <[EMAIL PROTECTED]> wrote:
> ldap_search() failed: Operations error
It's a combination of factors. What's happening is that your LDAP
search isn't fully qualified, so when something isn't found in
"students", AD returns a referral to "staff". OpenLDAP fails to use
the authentication credentials for the referral that it was given for
the original query.
And lo, "operations error", which is such a useful message.
It's a cross-domain referral problem. You have a "staff" domain,
and a "student" domain, each of which trusts each other in AD.
The solution is to fully qualify all of the queries so that AD
doesn't return a referral. Usually adding "ou=people" (or something
like that) will usually do the trick.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD ldap search works with 1.01, fails with 1.04
Thanks Alan; I think I understand what you mean, however each of our trees is sorted by campus, then OU, then users. Student | | |---Brisbane | |---Sydney1 | |---Sydney2 | |---Canberra | |--computers | |--Printers | |---users and the same for staff. What's the best way to format the baseDN to allow for recursive searches through each OU container. At the moment I have basedn= "ou=users,dc=student,dc=acu,dc=edu,dc=au", which is obviously wrong. Many thanks Stephen Walsh [EMAIL PROTECTED] Client Support Officer (Technology) Australian Catholic University (Limited) PO Box 256, Dickson ACT 2602 Phone: +61 2 6209 1133 Fax: +61 2 6209 1179 Mobile: +61 419 496796 + CRICOS Registration: 4G, 00112C, 00873F, 00885B ABN 15 050 192 660 +++++++++ Stephen Walsh <[EMAIL PROTECTED]> wrote: > ldap_search() failed: Operations error It's a combination of factors. What's happening is that your LDAP search isn't fully qualified, so when something isn't found in "students", AD returns a referral to "staff". OpenLDAP fails to use the authentication credentials for the referral that it was given for the original query. And lo, "operations error", which is such a useful message. It's a cross-domain referral problem. You have a "staff" domain, and a "student" domain, each of which trusts each other in AD. The solution is to fully qualify all of the queries so that AD doesn't return a referral. Usually adding "ou=people" (or something like that) will usually do the trick. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Correction to: AD ldap search works with 1.01, fails with 1.04
Hi Folks
Correction to previous email:
We can bind to the server, when the time comes to search it fails;
radiusd -X -A
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to 192.148.xxx.xxx:389, authentication 0
rlm_ldap: bind as
cn=,cn=users,dc=student,dc=acu,dc=edu,dc=au/ to
192.148.223.125:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=student,dc=acu,dc=edu,dc=au, with filter
(samaccountname=testuser)
rlm_ldap: ldap_search() failed: Operations error
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
Stephen Walsh
[EMAIL PROTECTED]
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+
CRICOS Registration: 4G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+
Stephen Walsh
<[EMAIL PROTECTED]
.acu.edu.au> To
Sent by: [EMAIL PROTECTED]
freeradius-users- rg
bounces+s.walsh=s cc
ignadou.acu.edu.a
[EMAIL PROTECTED] Subject
s.org AD ldap bind works with 1.01, fails
with 1.04
24/01/2006 04:28
PM
Please respond to
FreeRadius users
mailing list
Hi Folks
We're implementing freeradius with EAP/TLS for our wireless and have found
a strange happening with 1.04. This will only happen when attempting to
query our student domain (w2k3 AD tree), but not our staff (w2k3 AD tree).
If I remove the section (below) for student, it will authenticate staff and
log them on happily.
At the moment, we have
acu.edu.au
|
/ \
staff student
I have a test box with FC3/FreeRadius 1.01 which will search through both
domains and authenticate the user. I copy the config over to the
FC4/FreeRadius 1.04 box and it works on staff, but returns the following on
student (the tree is laid out the same as staff);
ldap_search() failed: Operations error
Is this a bug (known or unknown) or have I just not allowed something like
referrals to work. I don't want to have to put openldap on the radius box
if I can help it, but if that's the only solution then we'll reassess 1.01
on FC3
Config is as below (some sanitisation done to protect the innocent networks
involved).
ldap student {
server = "192.148.xxx.xxx"
identity =
"cn=x,cn=users,dc=student,dc=acu,dc=edu,dc=au"
password = "x"
basedn = "dc=student,dc=acu,dc=edu,dc=au"
filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
ldap staff {
server = "192.148.xxx.xxx"
identity =
"cn=xx,cn=users,dc=staff,dc=acu,dc=edu,dc=au"
password = "xx"
basedn = "dc=staff,dc=acu,dc=edu,dc=au"
filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
authorize {
suffix
eap
staff
student
}
authenticate {
AD ldap bind works with 1.01, fails with 1.04
Hi Folks
We're implementing freeradius with EAP/TLS for our wireless and have found
a strange happening with 1.04. This will only happen when attempting to
query our student domain (w2k3 AD tree), but not our staff (w2k3 AD tree).
If I remove the section (below) for student, it will authenticate staff and
log them on happily.
At the moment, we have
acu.edu.au
|
/ \
staff student
I have a test box with FC3/FreeRadius 1.01 which will search through both
domains and authenticate the user. I copy the config over to the
FC4/FreeRadius 1.04 box and it works on staff, but returns the following on
student (the tree is laid out the same as staff);
ldap_search() failed: Operations error
Is this a bug (known or unknown) or have I just not allowed something like
referrals to work. I don't want to have to put openldap on the radius box
if I can help it, but if that's the only solution then we'll reassess 1.01
on FC3
Config is as below (some sanitisation done to protect the innocent networks
involved).
ldap student {
server = "192.148.xxx.xxx"
identity =
"cn=x,cn=users,dc=student,dc=acu,dc=edu,dc=au"
password = "x"
basedn = "dc=student,dc=acu,dc=edu,dc=au"
filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
ldap staff {
server = "192.148.xxx.xxx"
identity =
"cn=xx,cn=users,dc=staff,dc=acu,dc=edu,dc=au"
password = "xx"
basedn = "dc=staff,dc=acu,dc=edu,dc=au"
filter =
"(samaccountname=%{Stripped-User-Name:-%{User-Name}})"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
}
authorize {
suffix
eap
staff
student
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
student
staff
}
eap
}
many thanks
Stephen Walsh
Client Support Officer (Technology)
Australian Catholic University (Limited)
PO Box 256, Dickson ACT 2602
Phone: +61 2 6209 1133
Fax: +61 2 6209 1179
Mobile: +61 419 496796
+
CRICOS Registration: 4G, 00112C, 00873F, 00885B
ABN 15 050 192 660
+
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
