dynamic tagged and untagged vlan assignment
All, Currently i use this configuration to assign clients an ip after successfull authentication (mac authentication): user User-Password == password Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-id = 20 This works, but now we are deploying a cisco iptel solution. The phones need to be in a tagged vlan instead of an untagged. Can i make this distinction based on radius attributes? regards, Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 The question of whether a computer can think is no more interesting than the question of whether a submarine can swim. -- E. W. Dijkstra This e-mail is property of the company and is supposed to contain only professional content. The company can at all times consult the content of this e-mail and the reply to this e-mail. By replying to this e-mail, you confirm your explicit agreement with the preceding. Deze e-mail is het eigendom van de Vennootschap en wordt verondersteld enkel beroepsmatige informatie te bevatten. De Vennootschap kan ten allen tijden de inhoud van deze e-mail en van het antwoord daarop raadplegen. Door het beantwoorden van deze e-mail bevestigt U uitdrukkelijk uw akkoord met het voorafgaande. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic tagged and untagged vlan assignment
[EMAIL PROTECTED] wrote on 20-02-2008 11:36:27: The phones need to be in a tagged vlan instead of an untagged. Are you sure about that? You tag VLANs on a trunk port. And that port will be connected to the upstream device, not your phone. The phone is some sort of switch. Currently the edge port is statically in untagged pcvlan and tagged voice vlan. This setup works(phone has to be configured with an admin vlan to tag the voice packets. This e-mail is property of the company and is supposed to contain only professional content. The company can at all times consult the content of this e-mail and the reply to this e-mail. By replying to this e-mail, you confirm your explicit agreement with the preceding. Deze e-mail is het eigendom van de Vennootschap en wordt verondersteld enkel beroepsmatige informatie te bevatten. De Vennootschap kan ten allen tijden de inhoud van deze e-mail en van het antwoord daarop raadplegen. Door het beantwoorden van deze e-mail bevestigt U uitdrukkelijk uw akkoord met het voorafgaande. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic tagged and untagged vlan assignment
For interest: obviously the phone needs to know the tag number. LLDP-MED is the normal way of signalling this, or CDP on all-Cisco networks. Responding to the OP, whether you can do this and the syntax to use depends on your switch. For example with 3Com 4400 and (I think) Extreme x450 you do this: Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-id = 20 30t ...to put vlan 20 untagged and 30 tagged. I heard that cisco doesn't do lldp-med yet. Thanks for the info i'll try this and let you know. I'm currently running an all procurve network with 3500yl switches. I am told that with newest firmware this should be possible. This e-mail is property of the company and is supposed to contain only professional content. The company can at all times consult the content of this e-mail and the reply to this e-mail. By replying to this e-mail, you confirm your explicit agreement with the preceding. Deze e-mail is het eigendom van de Vennootschap en wordt verondersteld enkel beroepsmatige informatie te bevatten. De Vennootschap kan ten allen tijden de inhoud van deze e-mail en van het antwoord daarop raadplegen. Door het beantwoorden van deze e-mail bevestigt U uitdrukkelijk uw akkoord met het voorafgaande. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
migrating from files to ldap
I am looking to migrate from text files to an ldap directory. What is the best/easiest way to do this: -setup ldap, copy all data to the ldap from the start -setup ldap and gradually migrate (is it possible to have part of the clients in flat files and others in ldap?) This e-mail is property of the company and is supposed to contain only professional content. The company can at all times consult the content of this e-mail and the reply to this e-mail. By replying to this e-mail, you confirm your explicit agreement with the preceding. Deze e-mail is het eigendom van de Vennootschap en wordt verondersteld enkel beroepsmatige informatie te bevatten. De Vennootschap kan ten allen tijden de inhoud van deze e-mail en van het antwoord daarop raadplegen. Door het beantwoorden van deze e-mail bevestigt U uitdrukkelijk uw akkoord met het voorafgaande. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius attributes for cisco ip phone
I have hp procurve 3500yl switches for which i use mac based authentication against radius server. The radius server should assign the vlan's. The pc that hangs behind the phone get the correct vlan, but the phone doesn't. The radius userfile contains this for the phone(for the pc i have the same structure, only different vlan): 001c13d6b06f User-Password == 001c13d6b06f Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-id = 20 The phone doesn't seem to receive an ip. Is there an error in my config? Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 The question of whether a computer can think is no more interesting than the question of whether a submarine can swim. -- E. W. Dijkstra This e-mail is property of the company and is supposed to contain only professional content. The company can at all times consult the content of this e-mail and the reply to this e-mail. By replying to this e-mail, you confirm your explicit agreement with the preceding. Deze e-mail is het eigendom van de Vennootschap en wordt verondersteld enkel beroepsmatige informatie te bevatten. De Vennootschap kan ten allen tijden de inhoud van deze e-mail en van het antwoord daarop raadplegen. Door het beantwoorden van deze e-mail bevestigt U uitdrukkelijk uw akkoord met het voorafgaande. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: Authenticate by MAC address
i don't use a database, but for the normal flat textfile you set the mac address as username and as password. The switch(i have procurves) sends the macadress as both username and password to the radius server. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 The question of whether a computer can think is no more interesting than the question of whether a submarine can swim. -- E. W. Dijkstra Bernd [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05-12-07 11:53 Please respond to FreeRadius users mailing list freeradius-users@lists.freeradius.org To 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org cc Subject AW: AW: Authenticate by MAC address To do authentication by MAC-address. Maybe some settings in radiusd.conf or smth another conf. file. I can hardly believe it's just typing the MAC-adress into the database and it works? -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Mittwoch, 5. Dezember 2007 11:24 An: FreeRadius users mailing list Betreff: Re: AW: Authenticate by MAC address Bernd wrote: I have a MySQL database to do it. I set the MACadress as UserName, op should be :=. What do I have to do with Value and Attribute? You have mixed that up. The MySQL schema attempts to mirror the users file. So see man users, and the users file for examples of what to do. See also doc/rlm_sql And are there any further settings to do in a conf. file? To do what? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is property of the company and is supposed to contain only professional content. The company can at all times consult the content of this e-mail and the reply to this e-mail. By replying to this e-mail, you confirm your explicit agreement with the preceding. Deze e-mail is het eigendom van de Vennootschap en wordt verondersteld enkel beroepsmatige informatie te bevatten. De Vennootschap kan ten allen tijden de inhoud van deze e-mail en van het antwoord daarop raadplegen. Door het beantwoorden van deze e-mail bevestigt U uitdrukkelijk uw akkoord met het voorafgaande. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple user files
Is it possible to have multiple user files. To make it more readable i want to split up my userfile into different files depending on the usertype (scanners, pc's, ... ) Is this possible by just adding multiple userfile entries? Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 The question of whether a computer can think is no more interesting than the question of whether a submarine can swim. -- E. W. Dijkstra This e-mail is property of the company and is supposed to contain only professional content. The company can at all times consult the content of this e-mail and the reply to this e-mail. By replying to this e-mail, you confirm your explicit agreement with the preceding. Deze e-mail is het eigendom van de Vennootschap en wordt verondersteld enkel beroepsmatige informatie te bevatten. De Vennootschap kan ten allen tijden de inhoud van deze e-mail en van het antwoord daarop raadplegen. Door het beantwoorden van deze e-mail bevestigt U uitdrukkelijk uw akkoord met het voorafgaande. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reccomended switches for dynamic vlans
Jacob I use procurve switches and i'm quite happy with them. Price is almost half of cisco prices(and lifetime warranty).(although i have already seen cisco match hp prices for large purchases if you mention procurve) Until previous firmware version they even suppported cisco p protocols (and open standard). Now they moved to open standards. regards, Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 The question of whether a computer can think is no more interesting than the question of whether a submarine can swim. -- E. W. Dijkstra Jacob Jarick [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 13-07-07 06:35 Please respond to FreeRadius users mailing list freeradius-users@lists.freeradius.org To FreeRadius users mailing list freeradius-users@lists.freeradius.org cc Subject Reccomended switches for dynamic vlans Can any1 reccomend a brand / model of wireless switches that will support dynamic vlans. I finally have freeradius working very nicely, just need to (hopefully) find an inexpensive solution for the hardware side. I am currently looking into the openwrt distro to see if that will provide dynamic vlans. Thanks for all the help guys, wouldnt have gotten Freeradius setup without this mailing list thats for sure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is property of the company and is supposed to contain only professional content. The company can at all times consult the content of this e-mail and the reply to this e-mail. By replying to this e-mail, you confirm your explicit agreement with the preceding. Deze e-mail is het eigendom van de Vennootschap en wordt verondersteld enkel beroepsmatige informatie te bevatten. De Vennootschap kan ten allen tijden de inhoud van deze e-mail en van het antwoord daarop raadplegen. Door het beantwoorden van deze e-mail bevestigt U uitdrukkelijk uw akkoord met het voorafgaande. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reccomended switches for dynamic vlans
additional comment on procurve switches: If you want to authenticate more than one client on a port you need multidomain authentication support. This is available on hp3500yl and up(comparable with cisco 3500 series i think) the 26xx is indeed a good cheap poe switch(only 10/100 but that should be enough for poe application) Almost all managed procurve switches support the same security features(certainly from 26xx and up), so that makes it easier to combine different models in your network without sacrificing security. most of the difference is in port speed and routing functions and whether it is chassis based or not. I can also recommend the 5400 chassis based switch. largest model can handle 12 modules(also available in 6 modules) which you can fill. cat5 modules for this switch are always 10/100/1000 with poe or modules for mini-gbics(chassis itself is quite cheap, and modules are also ok but only interesting if you have centralized cabling). one disadvantage of the procurves is that they don't support hardware stacking(for procurve stacking is only a management feature) to built a virtual chassis with a high speed backbone link between 2 or more switches(i think cisco has models that can do this, but also not all). regards, Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 The question of whether a computer can think is no more interesting than the question of whether a submarine can swim. -- E. W. Dijkstra [EMAIL PROTECTED] wrote on 13-07-2007 11:54:25: Jacob Jarick wrote: Thanks very much for that information, shall follow up on it :) On 7/13/07, [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Jacob I use procurve switches and i'm quite happy with them. Price is almost half of cisco prices(and lifetime warranty).(although i have already seen cisco match hp prices for large purchases if you mention procurve) Until previous firmware version they even suppported cisco p protocols (and open standard). Now they moved to open standards. Yep Second Vote for HP Procurves, any of the 26** support dynamic VLAN assignment, they also have a really neat feature for authenticating admin users on their ssh, web, consol interfaces using RADIUS with failover to local... Full accounting support, Mac based authentication, supplicant port mode (where the port on one hp can authenticate to another)... Loads more stuff like filtering and ingress bandwidth limiting using VSAs. These also have a nice feature called OpenVLAN, where the switch can drop people with broken supplicants into an arbitrary vlan, where you can provide resources to help fix their supplicant software. This e-mail is property of the company and is supposed to contain only professional content. The company can at all times consult the content of this e-mail and the reply to this e-mail. By replying to this e-mail, you confirm your explicit agreement with the preceding. Deze e-mail is het eigendom van de Vennootschap en wordt verondersteld enkel beroepsmatige informatie te bevatten. De Vennootschap kan ten allen tijden de inhoud van deze e-mail en van het antwoord daarop raadplegen. Door het beantwoorden van deze e-mail bevestigt U uitdrukkelijk uw akkoord met het voorafgaande. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Best practices for redundant servers
I use a very simple system to get redundancy. I have 2 seperate radius servers. If i do a change i need to do it on both(biggest disadvantage). In all my access points or other applications i can enter 2 radius servers. When the first doesn't answer it autom. authenticates to the second. This has the advantage that i add another config to one of them for test systems, or to test some parameters without the change being synced to the other one. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 [EMAIL PROTECTED] wrote on 01/19/2007 05:42:02 AM: Dennis Skinner wrote: For serious billable accounting you probably want to write to files and then import them into the db (there is a module to help with this). Radius will happily skip queries that take too long or if there are not enough mysql connections available on the accounting side. I remember reading about 'radsqlrelay' that does essentially this. It is also mentioned once in radiusd.conf but subsequent searching has brought up nothing worthwhile. Does anyone remember where there is doccumentation on this? regards Graham Beneke - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ntlm fall-through
Alan, A month ago i configured ntlm authentication for our internal wifi users. This works fine, but now i also needed to give access to some external consultants who didn't have an AD account. I found a solution however by using the MS-Chap-Use-NTLM-Auth := 0 variable for those users (but it would be nice if it would autom. fell through when no AD account was found) btw. i'm new to the (for me) more advanced features/internals of (free)radius, thanks for explaining me. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 [EMAIL PROTECTED] wrote on 12/19/2006 08:24:55 PM: [EMAIL PROTECTED] wrote: All, Does anyone know how i can configure ntlm fall-through, eg. try to authenticate the user local (via password entry in users file) No, the users file doesn't authenticate anyone. It just adds a known good password to the request. Some other module takes care of authenticating the user. and if the user isn't found use ntlm-auth(or first ntlm and afterwards userfile is also ok)? If i comment out the ntlm-auth line in the mschap section of radiusd.conf the user is authenticate local. See doc/configurable_failover. You should be able to add a statement to the authenticate section saying try FOO, and if that fails, try BAR. This is really not a recommended configuration, however. It is difficult to make it work well. Perhaps you could say *why* you need this, rather than asking how to implement a particular solution. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ntlm fall-through
All, Does anyone know how i can configure ntlm fall-through, eg. try to authenticate the user local (via password entry in users file) and if the user isn't found use ntlm-auth(or first ntlm and afterwards userfile is also ok)? If i comment out the ntlm-auth line in the mschap section of radiusd.conf the user is authenticate local. I searched the archives and found the same question below, but no answer to the problem. Anyone who can help me with this? http://lists.freeradius.org/mailman/htdig/freeradius-users/2005-August/046691.html Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: freeradius and ntlm_auth howto
I finally managed to filter out the last issues with my setup. When i have
more time i will post a small howto that worked for me.
Although people on the list told me that there are plenty guides already,
i couldn't find one that worked.
Thanks everyone for all hints that helped me.
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551
[EMAIL PROTECTED]
wrote on 11/06/2006 04:36:25 PM:
Actually this is the exact same problem I have. I need to type my
credentials in for authentication to work. If I let windows do it, I
won't get in.
If any of you could please help us out with this issue, that'd be great
Cheers
Héctor
Von: [EMAIL PROTECTED]
freeradius.org [mailto:freeradius-users-bounces+hector.
[EMAIL PROTECTED] Im Auftrag von Stieven.
[EMAIL PROTECTED]
Gesendet: Montag, 6. November 2006 16:17
An: King, Michael
Cc: freeradius-users@lists.freeradius.org
Betreff: RE: freeradius and ntlm_auth howto
michael,
The configuration works when i type in my username as
'[EMAIL PROTECTED]', when i let windows fill it in i don't get in.
My password gets locked after 3 attempts, and the wifi retries
several times. If you look higher in the file you will see another
error:(logon failure)
It works with the standard certs, so for finding a good working
configuration this is ok for now. Obviously i will change this for
production.
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551
King, Michael [EMAIL PROTECTED]
11/06/2006 04:04 PM
To
[EMAIL PROTECTED], FreeRadius users mailing list
freeradius-users@lists.freeradius.org
cc
Subject
RE: freeradius and ntlm_auth howto
Some things I've noticed from your attached files
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
I've never enabled these before, I'm unaware what affect they will have
tls: pem_file_type = yes
tls: private_key_file = /etc/raddb/certs/cert-srv.pem
tls: certificate_file = /etc/raddb/certs/cert-srv.pem
tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /etc/raddb/certs/dh
tls: random_file = /etc/raddb/certs/random
Did you generate your OWN certs... They one's that ship with the
server ARE NOT vailid. You have to generate your own.
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
That doesn't look right
BUT YOUR FINAL ANSWER:
xec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf
--challenge=b9ee04ca891c7b7d --nt-
response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0
Exec-Program output: Account locked out (0xc234)
Exec-Program-Wait: plaintext: Account locked out (0xc234)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Your account in the domain is not correct.
Looks like it's been disabled or something.
Fix that first before you change anymore config files.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 06, 2006 3:16 AM
To: King, Michael
Subject: Fw: freeradius and ntlm_auth howto
Michael,
I sent my reply already to the list, but due to the size(larger than
100k) it had to be reviewed by the admin and after a week it was
rejected.
Below you can find the mail. Thanks for helping me.
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551
- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM
-
Stieven Struyf/KEISA/BE/KOMEUR
11/02/2006 08:55 AM
To
FreeRadius users mailing list freeradius-users@lists.freeradius.org
cc
Subject
RE: freeradius and ntlm_auth howtoLink
I added the debuglog as attachment(as it is a little large to paste
here).
This is the mschap config:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_strong = yes
with_ntdomain_hack = yes
require_encryption = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --
username=%{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-
response=%{mschap:NT-Response}
}
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551
[EMAIL PROTECTED]
org wrote on 10/27/2006 04:36:00 PM:
Let's see if we can get this solved...
-Original Message-
Here's the full log:
Waking up in 6
windows 2003 AD authentication with freeradius (for 802.1X)
All,
I've been struggling to get AD authentication working the way i want it. I
wanted users to autom. login to the wireless network with their
windows(ad) account without needing to enter their passwords.
I created this procedure with bits and pieces i found on the internet,
hints i got on this list and some things i found out myself.
I hope this saves some time to others(as this was a popular question the
list/google, but i didn't found the complete solution that worked for me).
If there are better options then the ones i used let me know. I changed
ipaddresses and realm names for privacy reasons, but if there's something
not clear anymore let me know.
1. General config needed for 802.1X
I added the AP in the clients.conf file.
I configured the AP to use WPA2/aes (also had to add WPA/tkip).
I entered the radiusserver i used below as radius server(enabled 802.1X on
the AP) and used the secret i configured in the clients.conf file.
freeradius+AD windows 2003
install samba(package samba+samba-common+samba-client)
configure /etc/samba/smb.conf:
[EMAIL PROTECTED] samba]# cat smb.conf
realm = DIVISION.DOMAIN.NET
workgroup = division.domain.net
security = ADS
encrypt passwords = yes
password server = 192.168.100.3
# idmap uid and idmap gid are aliases for
# winbind uid and winbid gid, respectively
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = yes
winbind enum groups = yes
[test]
comment = Samba functionality test directory
path = /home/sambatest
read only = no
browsable = yes
writable = yes
guest ok = yes
valid users = @DIVISION.DOMAIN.NET\Domain Users
[EMAIL PROTECTED] samba]#
configure /etc/krb5.conf
[EMAIL PROTECTED] samba]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DIVISION.DOMAIN.NET
dns_lookup_realm = false
dns_lookup_kdc = false
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc
[realms]
DIVISION.DOMAIN.NET = {
kdc = 192.168.100.3:88
admin_server = 192.168.100.3:749
default_domain = division.domain.net
}
[domain_realm]
.division.domain.net = DIVISION.DOMAIN.NET
division.domain.net = DIVISION.DOMAIN.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[EMAIL PROTECTED] samba]#
configure nsswitch.conf:
change following entries in nssswitch.conf:
passwd:files - passwd:files winbind
group:files - group:files winbind
join the radius server to the domain (account wireless-acount needs to be
created and should have enough rights on AD)
#net ads join -S 192.168.100.3 -U wireless-account
Configure freeradius:
Add user to /etc/raddb/users file(if you use it for 802.1X you prob. also
want to add vlan assignment entries):
[EMAIL PROTECTED] raddb]# cat users|grep -i user123
user123
[EMAIL PROTECTED] raddb]#
Add realm(s) to /etc/raddb/proxy.conf file (add here all your aliases of
your domain):
realm DIVISION.DOMAIN.NET {
type= radius
authhost= LOCAL
accthost= LOCAL
}
realm DIVISION {
type= radius
authhost= LOCAL
accthost= LOCAL
}
Configure /etc/raddb/radiusd.conf (change/activate mschap part):
mschap {
authtype = MS-CHAP
use_mppe = yes
require_strong = yes
with_ntdomain_hack = yes
require_encryption = yes
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
}
Configure eap.conf:
Uncomment tls keys(for production you should create your own!!).
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeRADIUS on Solaris 10 - x86
are your I think that I need the ldap module für the active directory request, do I also need the krb5 module? are you trying to do ad authentication? if so you don't need ldap module, i needed: winbind, samba, krb5.conf(don't know to which package it belongs),auth_ntlm(again don't know which package it belongs to),freeradius.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ntlm_auth howto
michael,
The configuration works when i type
in my username as '[EMAIL PROTECTED]', when i let windows fill it in i don't
get in.
My password gets locked after 3 attempts,
and the wifi retries several times. If you look higher in the file you
will see another error:(logon failure)
It works with the standard certs, so
for finding a good working configuration this is ok for now. Obviously
i will change this for production.
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551
King, Michael
[EMAIL PROTECTED]
11/06/2006 04:04 PM
To
[EMAIL PROTECTED], FreeRadius
users mailing list freeradius-users@lists.freeradius.org
cc
Subject
RE: freeradius and ntlm_auth howto
Some things I've noticed from
your attached files
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
I've never enabled these before,
I'm unaware what affect they will have
tls: pem_file_type = yes
tls: private_key_file = /etc/raddb/certs/cert-srv.pem
tls: certificate_file = /etc/raddb/certs/cert-srv.pem
tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem
tls: private_key_password = whatever
tls: dh_file = /etc/raddb/certs/dh
tls: random_file = /etc/raddb/certs/random
Did you generate your OWN certs...
They one's that ship with the server ARE NOT vailid. You have to
generate your own.
rlm_eap: Loaded and initialized
type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
That doesn't look right
BUT YOUR FINAL ANSWER:
xec-Program: /usr/bin/ntlm_auth
--request-nt-key --username=sstruyf --challenge=b9ee04ca891c7b7d --nt-response=79b960c773fa101929d3bf8e738168e8b6d8ae8cd61f64f0
Exec-Program output: Account locked out (0xc234)
Exec-Program-Wait: plaintext: Account locked out (0xc234)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
Your account in the domain is
not correct.
Looks like it's been disabled
or something.
Fix that first before you change
anymore config files.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, November 06, 2006 3:16 AM
To: King, Michael
Subject: Fw: freeradius and ntlm_auth howto
Michael,
I sent my reply already to the list, but due to the size(larger than 100k)
it had to be reviewed by the admin and after a week it was rejected.
Below you can find the mail. Thanks for helping me.
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551
- Forwarded by Stieven Struyf/KEISA/BE/KOMEUR on 11/06/2006 09:13 AM
-
Stieven Struyf/KEISA/BE/KOMEUR
11/02/2006 08:55 AM
To
FreeRadius users mailing list
freeradius-users@lists.freeradius.org
cc
Subject
RE: freeradius and ntlm_auth howtoLink
I added the debuglog as attachment(as it is a little large to paste here).
This is the mschap config:
mschap {
authtype = MS-CHAP
use_mppe = yes
require_strong
= yes
with_ntdomain_hack
= yes
require_encryption
= yes
ntlm_auth = /usr/bin/ntlm_auth
--request-nt-key --username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}
}
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551
[EMAIL PROTECTED]
wrote on 10/27/2006 04:36:00 PM:
Let's see if we can get this solved...
-Original Message-
Here's the full log:
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.104.254.73:1645,
This is NOT the full log. The full log would have started with
the line
/path/to/radiusd -X
Some important stuff is printed out there, it helps us help you.
rlm_mschap: NT Domain delimeter found, should we have
enabled with_ntdomain_hack?
rlm_mschap: NT Domain delimeter found, should we have
enabled with_ntdomain_hack?
Did you enable Ntdomain Hack in the MSCHAP module? (See below)
Including your radius.conf file would help.
HOWEVER, first you may want to check your mschap module
definition:
modules {
mschap {
ntlm_auth = /usr/bin/ntlm_auth
\
--request-nt-key \
--username=%{mschap:User-Name:-None} \
--domain=%{mschap:NT-Domain:-None} \
--challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}
...all on one line of course. Note the use of the
mschap:User-Name
and mschap:NT-Domain values.
Mine radiusd.conf file's mschap section looks like this:
NOTE that I do NOT have the :-00 and the :-None statements, and I
DO
have with_ntdomain_hack=yes
# Microsoft CHAP authentication
#
# This module supports MS-CHAP and
MS-CHAPv2 authentication
Re: freeRADIUS on Solaris 10 - x86
did you install only the solaris core system?
if so you probably need to install some additional
packages.an important directory is /usr/ccs, maybe you need to add it to
your path.
check that SUNWbtool is installed.
another one are the kerberos packages(SUNWkrbu and/or
SUNWkrbr)
The sun solaris package list can be usefull for you:
http://docs.sun.com/app/docs/doc/817-0545/6mgbberid?a=view
[EMAIL PROTECTED]
wrote on 11/02/2006 03:24:13 PM:
hey freeRADIUS users,
next step ... testing freeRADIUS on a Solaris 10 box and I'm
completely
new to solaris! :-(
I've started with the configure again but there are so much things
missing:
aclocal
autoconf
autoheader
locate
libgdbm
sys/security.h
sys/prctl.h
prot.h
sia.h
siad.h
krb5.h
gawk
mawk
ar
ramlib
strip
argz.h
libldap
dl.h
dld.h
mach-o/dyld.h
gdbm.h
pam/pam_appl.h
oci.h
sql.h
Where can I get all these things, do I need everything?
We are trying to get freeradius working with 802.1x authentication
to
Microsoft Active directory with LDAP-groups and huntgroups:
users-example:
DEFAULT LDAP-Group == CN=adminrole,CN=users,DC=isalab,DC=local,
Huntgroup-Name == enterasys, Realm == ISALAB.local
Filter-ID == Enterasys:version=1:mgmt=su:policy=adminrole,
Reply-Message = Welcome %{Stripped-User-Name:-%{User-Name:-None}}
in the
%{Realm} - Domain, there are no restrictions for you in this network,
Fall-Through = No
I hope someone can help me a bit to find the right way!
thanks mIke
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ntlm_auth howto
All, I finally got it working, but not yet as i want. The trick that made it work is settings auth-type := MSCHAPv2 for the user(s) and i also started radiusd as root(changed the rights without success to radiusd, but once everything is working i will try to run again with radiusd user) If i connect my user(s)s with [EMAIL PROTECTED] it works, but if i use realm\userame the realm is found but no ntlm is used(and authentication fails). Below you find an extract from the debug where you can see that the correct realm is found. Do i need some options? (btw i need this to work because automatic logon to the wifi from windows xp with windows credentials is in this format) modcall[authorize]: module kmt-eu.kmtg.net returns noop for request 69 rlm_realm: Looking up realm KMT-EU.KMTG.NET for User-Name = KMT-EU.KMTG.NET\sstruyf rlm_realm: Found realm KMT-EU.KMTG.NET rlm_realm: Adding Stripped-User-Name = sstruyf rlm_realm: Proxying request from user sstruyf to realm KMT-EU.KMTG.NET rlm_realm: Adding Realm = KMT-EU.KMTG.NET rlm_realm: Authentication realm is LOCAL. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 [EMAIL PROTECTED] wrote on 10/26/2006 05:05:44 PM: [EMAIL PROTECTED] wrote: I am trying to authenticate my wifi users via our AD. I'm finding bits and pieces on the internet to configure things, but no completely usable howto. What's missing from any of the HOWTO's? There's some on the Wiki, and one on my site. Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) You're running the server as non-root, and the programs it executes don't run as root, so they don't have permissions to read that directory. Make the server run as root, or fix the permissions. Alan DeKok. -- http://deployingradius.com- The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and ntlm_auth howto
-TLV
response.
rlm_eap_peap: Tunneled data is
valid.
rlm_eap_peap: Had sent
TLV failure, rejecting.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module
eap returns invalid for request 8
modcall: group authenticate returns
invalid for request 8
auth: Failed to validate the user.
Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/no
User-Password attribute] (from client WAP07KE port 2936 cli 0011.851a.cc37)
Processing the post-auth section
of radiusd.conf
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551
[EMAIL PROTECTED]
wrote on 10/27/2006 12:26:09 PM:
HOWEVER, first you may want to check your mschap module definition:
modules {
mschap {
ntlm_auth = /usr/bin/ntlm_auth \
--request-nt-key \
--username=%{mschap:User-Name:-None} \
--domain=%{mschap:NT-Domain:-None} \
--challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}
...all on one line of course. Note the use of the mschap:User-Name
and
mschap:NT-Domain values.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I checked it and changed the userline value(it was stripped-username something,
but without success.)-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius and ntlm_auth howto
[EMAIL PROTECTED] wrote on 10/27/2006 02:54:52 PM: Did you notice the response from ntlm_auth: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=sstruyf --challenge=decc4450c3b83d2c --nt- response=1af36673f68f926b4cc76bf8cd9f440d0c36396981ad345 Exec-Program output: Logon failure (0xc06d) This indicates an invalid username or password. Try running “/usr/bin/ntlm_auth --username=sstruyf” and entering the same password you used in your previous test when prompted. Is the username correct? Is samba going to the correct domain by default? Did you enter the correct password? If you can’t authenticate from the command line, you won’t be able to do so from freeradius either.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html from the commandline everything is working, and the same username/realm works if i enter pass it as [EMAIL PROTECTED] instead of realm\username. So i am absolutely sure the user is ok. I will check with our AD admin if he sees something in his logs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and ntlm_auth howto
7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. Login incorrect: [KMT-EU.KMTG.NET\\sstruyf/no User-Password attribute] (from client localhost port 0) Processing the post-auth section of radiusd.conf modcall: entering group Post-Auth-Type for request 7 Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_krb5
Can't use that as an argument, mickeysoft strongly recommends to leave it disabled, and i'm not the windows admin. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 Alan DeKok [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/24/2006 05:52 PM Please respond to FreeRadius users mailing list freeradius-users@lists.freeradius.org To FreeRadius users mailing list freeradius-users@lists.freeradius.org cc Subject Re: rlm_krb5 [EMAIL PROTECTED] wrote: What other setup can you recommend with minimal account administration? Use ntlm_auth. There are any number of HOWTO's on doing this, including the Wiki and my web site. Can you argument why (not) to store password with reversible encryption in AD. Because it doesn't do anything useful. Alan DeKok. -- http://deployingradius.com- The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius+hpidm+cisco
[EMAIL PROTECTED]
wrote on 10/23/2006 04:55:32 PM:
[EMAIL PROTECTED] wrote:
Just for your info the contents of both hpidm config files:
[EMAIL PROTECTED] raddb]# cat hpidm.post-auth.conf
Post-Auth-Type REJECT{
hpidm
}
hpidm
[EMAIL PROTECTED] raddb]# cat hpidm.modules.conf
hpidm{
version = 1.0
}
This module is not included with the server. Therefore,
it's
something written locally, and you should asthe person who wrote it
about any bugs it may have.
i know, but problem only occurs on cisco devices, i doubt that hp will
debug that(i already updated to the latest patchlevel).
I hoped that other users on the list are also using
idm(as it works as a plugin for (free)radius).-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_krb5
[EMAIL PROTECTED] wrote on 10/23/2006 04:51:59 PM: [EMAIL PROTECTED] wrote: ... Please don't send HTML to the list. i know, but it was related to my question and the info i already gathered. I am implementing 802.1x on our network. The easiest solution to do this is by using reversible passwords in active directory That isn't necessary. Only other way is by using kerberos. That's impossible. Kerberos doesn't do MS-CHAP, which is the authentication protocol used by Windows clients for 802.1x What other setup can you recommend with minimal account administration? Can you argument why (not) to store password with reversible encryption in AD.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_krb5
All,I am implementing 802.1x on our network. The easiest solution to do this is by using "reversible passwords" in active directory(and using ntlm_auth), but our windows guys don't want to allow this. Only other way is by using kerberos. I found a link on the internet http://archives.free.net.ph/message/20060104.153134.68c5be76.en.html , but i can't get it to work. The rlm_krb5 module doesn't seem to pick up my request(although i see that the module is loaded).Does anyone know how to configure this correctly?I already googled and searched the archives for this without luck.StievenStruyfM.I.S.Division-SystemOperationsKomatsuEuropeInternationalNVMechelsesteenweg586B-1800VilvoordeTel.+32(0)22552551- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius+hpidm+cisco
All, We have an hp infrastructure and use identity driven management to enforce some additional rights to users(as forcing vlan assignment). We have a mixed wireless environment with hp procurve and cisco(1200) For hp access points we don't have any problem, but when trying with cisco devices freeradius crasches with a segmentation fault. The segmentation fault happens when accessing the module hpidm.post-auth.conf which is loaded through radius.conf. (if i comment out this module i don't get the error, but then vlan assignment does't work for the hp's). Anyone else using this tool in a mixed environment? Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Tel. +32 (0)2 2552551- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius+hpidm+cisco
Jonathan, I removed the hp module to check if the problem went away(which it did). Afterwards i reenabled it to take traces, but it doesn't segfaults anymore. Now i use radius to assigns vlan for cisco and use hp idm for vlan assigment for hp. Problem seems solved, but i don't want to install the idm on our primary radius server if it gives instable behaviour to the stable freeradius server. We are using freeradius for some years for our wifi production environment(barcode scanners), don't want to cause troubles just to let some users work wireless. Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde Tel. +32 (0)2 2552551 Jonathan De Graeve [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 10/23/2006 02:58 PM Please respond to FreeRadius users mailing list freeradius-users@lists.freeradius.org To FreeRadius users mailing list freeradius-users@lists.freeradius.org cc Subject RE: freeradius+hpidm+cisco All, We have an hp infrastructure and use identity driven management to enforce some additional rights to users(as forcing vlan assignment). We have a mixed wireless environment with hp procurve and cisco(1200) For hp access points we don't have any problem, but when trying with cisco devices freeradius crasches with a segmentation fault. The segmentation fault happens when accessing the module hpidm.post- auth.conf which is loaded through radius.conf. (if i comment out this module i don't get the error, but then vlan assignment does't work for the hp's). It would be usefull to debug and to post whats in the hpidm.post-auth.conf J. -- Jonathan De Graeve IMELDA vzw Informatica Dienst Network System Engineer [EMAIL PROTECTED] +32(0)15/50.52.98 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: freeradius+hpidm+cisco
[EMAIL PROTECTED]
wrote on 10/23/2006 02:46:51 PM:
All,
We have an hp infrastructure and use identity driven management
to
enforce
some additional rights to users(as forcing vlan assignment).
We have a mixed wireless environment with hp procurve and cisco(1200)
For hp access points we don't have any problem, but when trying
with
cisco
devices freeradius crasches with a segmentation fault.
The segmentation fault happens when accessing the module hpidm.post-
auth.conf which is loaded through radius.conf.
(if i comment out this module i don't get the error, but then
vlan
assignment does't work for the hp's).
It would be usefull to debug and to post whats in the
hpidm.post-auth.conf
Just for your info the contents
of both hpidm config files:
[EMAIL PROTECTED] raddb]# cat hpidm.post-auth.conf
Post-Auth-Type REJECT{
hpidm
}
hpidm
[EMAIL PROTECTED] raddb]#
[EMAIL PROTECTED] raddb]# cat hpidm.modules.conf
hpidm{
version
= 1.0
}
[EMAIL PROTECTED] raddb]#
Stieven Struyf
M.I.S. Division - System Operations
Komatsu Europe International NV
Mechelsesteenweg 586
B-1800 Vilvoorde
[EMAIL PROTECTED]
Tel. +32 (0)2 2552551
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
