how to do the dynamic VLAN rewrite according to the username or calling-station-id?
We are trying to explore the 802.1x in university resnet. One thing we want to do is put the cisco switch port in a walled garden VLAN if the username or calling-station-id match a blocklist. If username/calling-station-id is not in the blocklist, they will just get to the static access VLAN configured on the cisco switch port. Is there any module available to do this already? Regards, Shiling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to do the dynamic VLAN rewrite according to the username or calling-station-id?
On 11/6/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Hi, > > We are trying to explore the 802.1x in university resnet. One thing we > want > > to do is put the cisco switch port in a walled garden VLAN if the > username > > or calling-station-id match a blocklist. If username/calling-station-id > is > > not in the blocklist, they will just get to the static access VLAN > > configured on the cisco switch port. Is there any module available to do > > this already? > > use SQL, Users file or LDAP - if the user exists as a check item > then set the correct Cisco VLAN return attributes. Suppose we use Users file, where else in the freeradius configuration, we can check and how to rewrite the VLAN? Thanks. Shiling alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to do the dynamic VLAN rewrite according to the username orcalling-station-id?
On 11/6/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > >Suppose we use Users file, where else in the freeradius configuration, we > >can check and how to rewrite the VLAN? > > > >Thanks. > > > >Shiling > > > > > >alan > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > > Nowhere. Put these as reply attributes: > > Tunnel-Type = VLAN, > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-Id = vlannumber Thanks for this info. One more step, is there any place in the freeradius configuration file that we can run a script to check the incoming radius request user-name/calling-station-id agaist a file for example youAreBlocked.txt, and then set the above attributes in the reply to the NAS? Shiling Ivan Kalik > Kalik informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to do the dynamic VLAN rewrite according to the username orcalling-station-id?
On Nov 6, 2007 5:29 PM, <[EMAIL PROTECTED]> wrote: > Hi, > > > Thanks for this info. One more step, is there any place in the freeradius > > configuration file that we can run a script to check the incoming radius > > request user-name/calling-station-id agaist a file for example > > youAreBlocked.txt, and then set the above attributes in the reply to the > > NAS? > > rlm_perl, rlm_python or exec - which coding language would you prefer? > with any of these you can simply run a script which could check the > attributes and return the correct reply attributes. This is what I am looking for. Thanks a lot. Getting to more specifics. We already have enterprise LDAP service. Can we just add an attribute to the user entry in the ldap which will like blocked = yes, then we can have the rlm_perl check the ldap user entry attribute, if blocked == yes, then assign the restricted VLAN name in the radius reply. Is this normal thing to do? Or have a group in ldap for blocked users, if user entry group include the blocked group, then assign restricted VLAN in the radius reply? I think either way should work. Thanks for all the reply. Regards, shiling > > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
We read all dynamic vlan related posts in this mailing list archive, but still can't get it to work even the authentication is working good. We are trying to get dynamic vlan assigmnet from freeradius version with local user database using eap-ttls-pap. But client PC was able to authenticator, but is not in the intented VLAN(dynamic vlan assignment is not working). Any suggestion is highly appreciated. FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu DEBUG INFO TTLS: Got tunneled reply RADIUS code 2 Service-Type = Framed-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = "552" Wed Nov 7 11:48:33 2007 : Debug: TTLS: Got tunneled Access-Accept Wed Nov 7 11:48:33 2007 : Debug: rlm_eap: Freeing handler Wed Nov 7 11:48:33 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 29 Wed Nov 7 11:48:33 2007 : Debug: modcall[authenticate]: module "eap" returns ok for request 29 Wed Nov 7 11:48:33 2007 : Debug: modcall: leaving group authenticate (returns ok) for request 29 Sending Access-Accept of id 4 to 128.186.252.8 port 1645 USER FILE userx Cleartext-Password := "hello" Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = "552" debug dot1x all in cisco showed that switching is successfully assign vlan 0 the fa0/2(dot1x enabled port) after getting authenticated. We are thinking this means vlan is not communicated between the freeradius and switch, but we don't know why. The test switch is cisco3550 running ios 12.2(35)SE. I have ( also tried the configuration in freeradius wiki, the same result) aaa new model aaa authorization network default group radius aaa authentication dot1x default group radius and dot1x system-auth-control fa0/2 is my test port. med-res-t#sh run Building configuration... Current configuration : 3450 bytes ! ! Last configuration change at 11:19:46 eastern Wed Nov 7 2007 by cisco ! NVRAM config last updated at 11:17:30 eastern Wed Nov 7 2007 by cisco ! version 12.2 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname med-res-t ! logging buffered 65536 debugging no logging console enable secret 5 * ! username cisco privilege 15 secret 5 *** aaa new-model aaa authentication login default local aaa authentication dot1x default group radius aaa authorization exec default local aaa authorization network default group radius ! aaa session-id common clock timezone eastern -5 ip subnet-zero ip domain-name test.edu ! ip ssh version 2 vtp mode transparent ! ! ! ! ! dot1x system-auth-control no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 100,200 ! ! vlan 552 name test-fwsm-lan ! vlan 553 name retricted-vlan ! ! interface FastEthernet0/1 switchport mode dynamic desirable ! interface FastEthernet0/2 switchport mode access dot1x pae authenticator dot1x port-control auto spanning-tree portfast ! ! interface GigabitEthernet0/1 switchport mode dynamic desirable ! interface GigabitEthernet0/2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 543,552 switchport mode trunk switchport nonegotiate ! interface Vlan1 no ip address no ip route-cache shutdown ! interface Vlan552 ip address 10.128.252.8 255.255.255.0 ! ip default-gateway 10.128.252.1 ip classless ip http server ip http secure-server ! ! radius-server host 10.128.33.163 auth-port 1612 acct-port 1646 key 7 070C285F4D06 radius-server source-ports 1645-1646 ! control-plane ! line con 0 line vty 5 15 ! ntp clock-period 17179941 ntp server 10.128.8.8 end med-res-t# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
On Nov 7, 2007 1:38 PM, <[EMAIL PROTECTED]> wrote: > Hi, > > > We read all dynamic vlan related posts in this mailing list archive, > > but still can't get it to work even the authentication is working > > good. > > in your eap.conf have you set the copy to inner tunnel to be "yes"? Are you referring to ttls { copy_request_to_tunnel = yes } >From reading the comment about that, this looks related to request, instead of reply. Thanks. Shiling > > on your switch, have you set the device to accept server defined > VLANs? I believe in cisco aaa authorization network default group radius will enable switch to accept radius defined VLAN. > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignmentissue(authentication is working)
On Nov 7, 2007 3:40 PM, <[EMAIL PROTECTED]> wrote: > >TTLS: Got tunneled reply RADIUS code 2 > >Service-Type = Framed-User > >Tunnel-Type:0 = VLAN > >Tunnel-Medium-Type:0 = 802 > >Tunnel-Private-Group-Id:0 = "552" > >Wed Nov 7 11:48:33 2007 : Debug: TTLS: Got tunneled Access-Accept > >Wed Nov 7 11:48:33 2007 : Debug: rlm_eap: Freeing handler > >Wed Nov 7 11:48:33 2007 : Debug: modsingle[authenticate]: returned > >from eap (rlm_eap) for request 29 > >Wed Nov 7 11:48:33 2007 : Debug: modcall[authenticate]: module "eap" > >returns ok for request 29 > >Wed Nov 7 11:48:33 2007 : Debug: modcall: leaving group authenticate > >(returns ok) for request 29 > >Sending Access-Accept of id 4 to 128.186.252.8 port 1645 > > > > use_tunneled_reply = yes > > in ttls section of eap.conf. Tried that, no luck. > > Ivan Kalik > Kalik Informatika ISP > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
This is the catch, I swear we tried at some point, apparently, we were missing something else at that time. Now everything worked out now. Thanks all for reply. Have a nice day. Regards, shiling On Nov 7, 2007 4:49 PM, <[EMAIL PROTECTED]> wrote: > Hi, > > > userx Cleartext-Password := "hello" > > Service-Type = Framed-User, > > Tunnel-Type = VLAN, > > Tunnel-Medium-Type = 802, > > Tunnel-Private-Group-ID = "552" > > Tunnel-Medium-Type = "IEEE-802", > > where did you get just '802' from? > > alan > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Referencing LDAP attributes in post-auth
This might help. Then I want to map certain attribute like employeeStatus from our iPlanet ldap server to some radius attribute, so I can manipulate it in the post-auth section. I put the following line in etc/raddb/dictionary ATTRIBUTE My-Local-employeeStatus 3000string and the following line in etc/raddb/ldap.attrmap #FOO specific attributes replyItem My-Local-employeeStatus employeeStatus Without these two line addition, radius will complain unknown attribute. Then in the post-auth section #default will have no Tunnel attribute/value, instead, they will be configured on #the NAS to go to student VLANs. # this will cover my ldap ntPassword authentication/authorization #facstaff have employeeStatus set while student does not if ( "%{User-Name}" =~ /@/ && "%{reply:My-Local-employeeStatus}" ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } } #this will cover my AD ntlm auth, People in AD are all facstaff if ( "%{User-Name}" !~ /@/ ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } } In this way, people can map arbitrary attribute from ldap to radius, if not in dictionary/ldap.attrmap, then just defined your own. Then you have flexibility of using these attribute/value in your logic at post-auth section. Thanks all for the hints and help! Schilling On Tue, Nov 1, 2011 at 4:08 PM, Phil Mayers wrote: > On 11/01/2011 07:41 PM, Adam Track wrote: >> >> > I’m just guessing, and could be WAY off, but may be an inner-tunnel >> vs. outer-tunnel thing. >> >> In eap.conf, I've got copy_request_to_tunnel = yes and >> use_tunneled_reply = yes. Neither the ldap nor perl modules are called >> in the inner-tunnel. > > Full debug please. > > Broadly speaking the approach you're trying should work. Most likely there's > some subtlety which the partial debug doesn't show. > > One obvious question: you have defined "Person-Type" in a dictionary > somewhere, haven't you? e.g. in raddb/dictionary: > > ATTRIBUTE Person-Type 3099 string > > Also, the usual "upgrade 2.1.8 is a bit old" note goes here ;o) > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC based auth
We did mac-based authentication on our campus resnet with about 5000 unique MAC addresses. We have dominantly foundry, and some cisco 3550s. Foundry switches work very good. Their dot1x feature sets are very good, they called multi-device port authentication. Cisco 3550 is ok, at lease we get the MAB working as we architected. You have to disable 802.1x in order to do MAB. There are some catches though. Sample cisco switch configuration aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius local dot1x system-auth-control interface FastEthernet0/3 description MAC-AuthC switchport access vlan 552 switchport mode access dot1x mac-auth-bypass dot1x critical dot1x pae authenticator dot1x port-control auto dot1x host-mode multi-host dot1x timeout tx-period 1 dot1x max-reauth-req 1 spanning-tree portfast spanning-tree bpduguard enable radius vlan instruction policy settings $RAD_REPLY{'Service-Type'} = "Framed-User"; $RAD_REPLY{'Tunnel-Type'} = "VLAN"; $RAD_REPLY{'Tunnel-Medium-Type'} = "IEEE-802"; $RAD_REPLY{'Tunnel-Private-Group-Id'} = "YourVLANName"; There is one special troubleshooting guide for MAC address authentication, please make sure student computer does not have 802.1x authentication enabled on Ethernet network connection when student call and say the network report no or limited network connection. We found out that Windows XP and Windows Vista 802.1x authentication is not enabled by default, but we just want to double check to make sure the 802.1x authentication is disabled on Ethernet connection. How to check the 802.1x authentication is off? In windows XP, Start, Settings, Network Connections, right click Local Area Connection, select Properties, If you does not see an Authentication tab, 802.1x is not available thus not enabled. If the Authentication tab is available, please make sure "Enable IEEE 802.1x for this network" checkbox is not checked. More technical details regarding Windows 802.1x authentication for your information. In windows XP SP3 and Windows Vista, there is a service which is set to Manual and Stopped by default start->run->cmd services.msc service: dot2svc display name: wired autoconfig description: This service performs IEEE 802.1X authentication on Ethernet interfaces If you click right click the service and start the service, the Authentication tab will show up in your local area connection properties. Schilling On Wed, Nov 26, 2008 at 8:42 AM, <[EMAIL PROTECTED]> wrote: > >Do they support Mac-Based Auth + 802.1X on the same port? > > In a (very) weird way. It's not mac auth + 802.1x but mac auth *in* > 802.1x (mac address is sent as user/pass - requires registry hacking on > XP). And then you can re-authenticate with username/pass. > > There is also something called mac authentication bypass for 802.1x. If > enabled switch will do mac auth if it doesn't get EAPOL packet from the > supplicant. So, in a matter of speaking, you can have mac auth and > (probably should say or - the idea is to be able to connect something > that doesn't do 802.1x, like a network printer) 802.1x on the same port. > > Ivan Kalik > Kalik Informatika ISP > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radtest nasname IP address support?
Hi, radiusd: FreeRADIUS Version 1.1.7 radiusd nasname could be host name only. It would be convenient if it could also be ip as radiusserver in radtest. Is it supported in new version? Thanks. Schilling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest nasname IP address support?
Sorry, my bad. I mean radtest nasname parameter. Schilling On Fri, Dec 5, 2008 at 1:58 AM, Alan DeKok <[EMAIL PROTECTED]>wrote: > schilling wrote: > > radiusd nasname could be host name only. It would be convenient if it > > could also be ip as radiusserver in radtest. > > What does that mean? > > The server can use hostname or IP address almost anywhere... > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allowing Access via 'users' when LDAP fails
Between the Mac Authentication Bypass and 802.1x, how do you force the port to reauthenticate? Schilling On Mon, Feb 1, 2010 at 11:12 AM, Amaru Netapshaak wrote: > > > > From: Alan Buxey > To: FreeRadius users mailing list > Sent: Mon, February 1, 2010 9:51:42 AM > Subject: Re: Allowing Access via 'users' when LDAP fails > > Hi, > >> I'm using Cisco 3560G switches. If a client currently doesnt send EAPOL >> packets >> to the switch, the 'guest vlan' works perfectly. >> >> However, my clients ARE dot1x capable, and DO send EAPOL packets to the >> switch >> and that makes the switchport stay unavailable for too long while the >> switch attempts >> to reauthenticate the client (takes about 65 seconds), by which time the >> end users >> client didnt get an IP address and they cannot login to the AD. > > adjust the switch timers then - the default timers will cause the effect > you have outlines...too long to fail-through > >> I just want a port to come up immediately on a guest/restricted type VLAN, >> allow the >> client to receive an IP address via DHCP, allow them to authenticate >> against the AD, >> and then be placed into the correct vlan (and have DHCP get a new IP >> address natrually) > > how will then authenticate against the AD after they are on this restricted > network? captive portal box? the supplicant wont do anything after the first > stage > > you might want to read this guide" > > http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf > > this gives more info on timers/timeouts for each part simply reduce > a few timers like max-req and tx-period and you'll get guest-vlan > fall-through > within a few seconds > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > Alan, > > Thanks for your quick reply! The plan was to have the guest/restricted > VLAN have > permissions enough to allow the client to authenticate against my AD, and > then be > assigned to the appropriate vlan, where full 'network rights' would be > granted. > > I will check out that document right now.. sounds perfect. Thanks! > +AMARU > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius, samba, AD peap/mschap-v2 redundancy and Certificate
Hi, We are thinking of authenticate users via 802.1x/mschapv2 with freeradius, samba and Active Directory. Is the following a good redundancy design? If not, which one is better? radius1 1.1.1.1, radius2 2.2.2.2 Active Directory Domain Controllers 3.3.3.3 4.4.4.4 put 1.1.1.1 and 2.2.2.2 as primary/secondary radius server list in switch/AP/controllers. On radius1 krb5.conf kdc = 3.3.3.3 kdc = 4.4.4.4 smb.conf password server = 3.3.3.3, 4.4.4.4 On radius2 krb5.conf kdc = 4.4.4.4 kdc = 3.3.3.3 smb.conf password server = 4.4.4.4, 3.3.3.3 For certificate, do we need a server certificate for both radius1 and radius2 if we want supplicant to verify the server certificate? Thanks, Schilling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP w/ freeradius to LDAP storing ntPassword
Hi All, We are trying to use ldap as backend database for dot1x peap authentication thru freeradius. The following link has good explanation. http://vuksan.com/linux/dot1x/802-1x-LDAP.html But do we really need both ntpassword and lmpassword in the ldap directory? How the process work regarding ntpassword authentication. Is the following sequence in the right direction? windows client send username and ntpassword to NAS NAS send the username/ntpassword to radius in a tunnel radius unwrap the tunnel, using the username to fetch the ntpassword from ldap, do a comparison of ldap returned ntpassword and unwrapped ntpassword, if they are the same, authentication accept. Thanks, Schilling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword
There is smbencrypt radius-utils to generate LM Hash and NT Hash, Any known good perl script to do this? sd...@palm:/usr/bin$ smbencrypt schilling LM Hash NT Hash D134D8CD21607749DD4218F5E59DD23A AF8AC3EF6579FC768515F960FB2096AC Then which one is required? Any format requirement in the ldap? Or just copy the 32 character and put in the ldap? Thanks. Schilling On Wed, Oct 6, 2010 at 2:19 PM, Alan DeKok wrote: > schilling wrote: >> We are trying to use ldap as backend database for dot1x peap >> authentication thru freeradius. The following link has good >> explanation. >> >> http://vuksan.com/linux/dot1x/802-1x-LDAP.html > > Note it's 5 years old... > >> But do we really need both ntpassword and lmpassword in the ldap directory? > > No. > >> windows client send username and ntpassword to NAS >> NAS send the username/ntpassword to radius in a tunnel >> radius unwrap the tunnel, using the username to fetch the ntpassword >> from ldap, do a comparison of ldap returned ntpassword and unwrapped >> ntpassword, if they are the same, authentication accept. > > No. It's a *lot* more complicated than that. > > All you need to do is to uncomment "ldap" in > raddb/sites-available/inner-tunnel, and it should work. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
One virtual server for MS-chapv2 against Active Directory, the other one agaist ldap ntpasswd?
Hi All, Can I have one virtual server listening on 1812/1813 for authenticating with ms-chapv2 against AD, and then another virtual server listening on 1814/1815 authenticating with ms-chapv2 against LDAP with ntpassword hash? We are able to get a instance running for against AD, but not able to get it working against LDAP. The user will continue try the AD. Thanks, Shiling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting a linux server to join a AD domain
put server string = MAT-DESKTOP On Thu, Oct 28, 2010 at 3:24 PM, Rowley, Mathew wrote: > $ hostname > mat-desktop.security.lab.net > > > Short name is just mat-desktop > > > > Mathew Rowley > IIS Network Security Architecture > > > > > > On 10/28/10 12:41 PM, "Sallee, Stephen (Jake)" > wrote: > >>I have to ask ... but what is your server's name? The error is saying >>that the name is incompatible with AD, do you have and special >>characters, any spaces, or any other weirdness in you server's name? >> >>Jake Sallee >>Godfather Of Bandwidth >>Network Engineer >> >>Fone: 254-295-4658 >>Phax: 254-295-4221 >> >> >>-Original Message- >>From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org >>[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o >>rg] On Behalf Of Rowley, Mathew >>Sent: Thursday, October 28, 2010 1:33 PM >>To: freeradius-users@lists.freeradius.org >>Subject: Problems getting a linux server to join a AD domain >> >>In an attempt to integrate Radius with AD, and following the tutorial >>(http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWT >>O) I have set up an AD server in our lab, and having trouble adding my >>linux box to the domain. Can anyone see what im doing wrong? The error I >>keep getting is: >> >>$ sudo net join -w SECLAB -I 10.252.159.137 -U Administrator [sudo] >>password for wuntee: >>Enter Administrator's password: >>[2010/10/28 12:23:36.656829, 0] >>utils/net_rpc_join.c:406(net_rpc_join_newstyle) >> Error in domain join verification (credential setup failed): >>NT_STATUS_INVALID_COMPUTER_NAME >> >>Unable to join domain SECLAB. >> >> >>Kerberos seems to work fine: >> >>$ kinit mrowle000 >>Password for mrowle...@seclab.security.lab.net: >>$ klist >>Ticket cache: FILE:/tmp/krb5cc_1000 >>Default principal: mrowle...@seclab.security.lab.net >> >>Valid starting Expires Service principal >>10/28/10 12:27:29 10/28/10 22:27:23 >>krbtgt/seclab.security.lab@seclab.security.lab.net >>renew until 10/29/10 12:27:29 >> >> >>CONFIGS: >> >>krb5.conf >>[logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> kdc = SYSLOG:INFO:AUTH >> admin_server = FILE:/var/log/kadmind.log admin_server = >>SYSLOG:INFO:AUTH >> >>[libdefaults] >> default_realm = SECLAB.SECURITY.LAB.NET dns_lookup_realm = false >>dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes >> >>[appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> } >> >>[realms] >>SECLAB.SECURITY.LAB.NET = { >> kdc = seclab.security.lab.net:88 >> default_domain = seclab.secuitry.lab.net } >> >>[domain_realm] >>.seclab.security.lab.net = SECLAB.SECURITY.LAB.NET >>seclab.security.lab.net = SECLAB.SECURITY.LAB.NET >> >> >>Samba.conf >>[global] >> workgroup = SECLAB.SECURITY.LAB.NET >> server string = %h server (Samba, Ubuntu) >> dns proxy = no >> log file = /var/log/samba/log.%m >> max log size = 1000 >> syslog = 0 >> panic action = /usr/share/samba/panic-action %d >> security = ads >> encrypt passwords = true >> passdb backend = tdbsam >> obey pam restrictions = yes >> unix password sync = yes >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\s*\spassword:* %n\n >>*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >> pam password change = yes >> map to guest = bad user >> idmap uid = 16777216-33554431 >> idmap gid = 16777216-33554431 >> template shell = /bin/bash >> winbind use default domain = no >> password server = seclab.security.lab.net //your AD-server >> realm = SECLAB.SECURITY.LAB.NET //your real >> usershare allow guests = yes >> >>[homes] >> comment = Home Directories >> browseable = no >> writable = yes >> >>[printers] >> comment = All Printers >> browseable = no >> path = /var/spool/samba >> printable = yes >> guest ok = no >> read only = yes >> create mask = 0700 >> >>[print$] >> comment = Printer Drivers >> path = /var/lib/samba/printers >> browseable = yes >> read only = yes >> guest ok = no >> >> >>- >>List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html >> >>- >>List info/subscribe/unsubscribe? See >>http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems getting a linux server to join a AD domain
add netbios-name = MAT-DESKTOP That's what we have here. On Thu, Oct 28, 2010 at 3:49 PM, Rowley, Mathew wrote: > It would make sense that was the issue due to: > > server string = %h server (Samba, Ubuntu) > > but still getting the same error: > > $ sudo net join -w SECLAB -I 10.252.159.137 -U Administrator > Enter Administrator's password: > [2010/10/28 13:40:07.929859, 0] > utils/net_rpc_join.c:406(net_rpc_join_newstyle) > Error in domain join verification (credential setup failed): > NT_STATUS_INVALID_COMPUTER_NAME > > Unable to join domain SECLAB. > > > $ grep 'server name' /etc/samba/smb.conf > $ grep 'server string' /etc/samba/smb.conf > server string = MAT-DESKTOP > # server string is the equivalent of the NT Description field > # server string = %h server (Samba, Ubuntu) > > > > > > > On 10/28/10 1:31 PM, "schilling" wrote: > >>put server string = MAT-DESKTOP >> >>On Thu, Oct 28, 2010 at 3:24 PM, Rowley, Mathew >> wrote: >>> $ hostname >>> mat-desktop.security.lab.net >>> >>> >>> Short name is just mat-desktop >>> >>> >>> >>> Mathew Rowley >>> IIS Network Security Architecture >>> >>> >>> >>> >>> >>> On 10/28/10 12:41 PM, "Sallee, Stephen (Jake)" >>> wrote: >>> >>>>I have to ask ... but what is your server's name? The error is saying >>>>that the name is incompatible with AD, do you have and special >>>>characters, any spaces, or any other weirdness in you server's name? >>>> >>>>Jake Sallee >>>>Godfather Of Bandwidth >>>>Network Engineer >>>> >>>>Fone: 254-295-4658 >>>>Phax: 254-295-4221 >>>> >>>> >>>>-Original Message- >>>>From: freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.org >>>>[mailto:freeradius-users-bounces+jake.sallee=umhb@lists.freeradius.o >>>>rg] On Behalf Of Rowley, Mathew >>>>Sent: Thursday, October 28, 2010 1:33 PM >>>>To: freeradius-users@lists.freeradius.org >>>>Subject: Problems getting a linux server to join a AD domain >>>> >>>>In an attempt to integrate Radius with AD, and following the tutorial >>>>(http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWT >>>>O) I have set up an AD server in our lab, and having trouble adding my >>>>linux box to the domain. Can anyone see what im doing wrong? The error I >>>>keep getting is: >>>> >>>>$ sudo net join -w SECLAB -I 10.252.159.137 -U Administrator [sudo] >>>>password for wuntee: >>>>Enter Administrator's password: >>>>[2010/10/28 12:23:36.656829, 0] >>>>utils/net_rpc_join.c:406(net_rpc_join_newstyle) >>>> Error in domain join verification (credential setup failed): >>>>NT_STATUS_INVALID_COMPUTER_NAME >>>> >>>>Unable to join domain SECLAB. >>>> >>>> >>>>Kerberos seems to work fine: >>>> >>>>$ kinit mrowle000 >>>>Password for mrowle...@seclab.security.lab.net: >>>>$ klist >>>>Ticket cache: FILE:/tmp/krb5cc_1000 >>>>Default principal: mrowle...@seclab.security.lab.net >>>> >>>>Valid starting Expires Service principal >>>>10/28/10 12:27:29 10/28/10 22:27:23 >>>>krbtgt/seclab.security.lab@seclab.security.lab.net >>>>renew until 10/29/10 12:27:29 >>>> >>>> >>>>CONFIGS: >>>> >>>>krb5.conf >>>>[logging] >>>> default = FILE:/var/log/krb5libs.log >>>> kdc = FILE:/var/log/krb5kdc.log >>>> kdc = SYSLOG:INFO:AUTH >>>> admin_server = FILE:/var/log/kadmind.log admin_server = >>>>SYSLOG:INFO:AUTH >>>> >>>>[libdefaults] >>>> default_realm = SECLAB.SECURITY.LAB.NET dns_lookup_realm = false >>>>dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes >>>> >>>>[appdefaults] >>>> pam = { >>>> debug = false >>>> ticket_lifetime = 36000 >>>> renew_lifetime = 36000 >>>> forwardable = true >>>> krb4_convert = false >>>> } >>>> >>>>[realms] >>>>SECLAB.SECURITY.LAB.NET = { >>>> kdc = seclab.security.lab.net:88 >>&g
PEAP w/ freeradius to LDAP storing ntPassword not working
Hi All, We had ntPassword hash in our ldap server, now the authentication from peap from windows computer and radtest -t mschap fail. Attached please find the full debug information. My username is sding for the testing. Thanks, [r...@auth2 opt]# ./sbin/radiusd -X FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Nov 4 2010 at 13:04:32 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /opt/etc/raddb/radiusd.conf including configuration file /opt/etc/raddb/clients.conf including files in directory /opt/etc/raddb/modules/ including configuration file /opt/etc/raddb/modules/policy including configuration file /opt/etc/raddb/modules/acct_unique including configuration file /opt/etc/raddb/modules/unix including configuration file /opt/etc/raddb/modules/chap including configuration file /opt/etc/raddb/modules/preprocess including configuration file /opt/etc/raddb/modules/expiration including configuration file /opt/etc/raddb/modules/mac2vlan including configuration file /opt/etc/raddb/modules/mschap including configuration file /opt/etc/raddb/modules/ippool including configuration file /opt/etc/raddb/modules/files including configuration file /opt/etc/raddb/modules/krb5 including configuration file /opt/etc/raddb/modules/passwd including configuration file /opt/etc/raddb/modules/radutmp including configuration file /opt/etc/raddb/modules/attr_rewrite including configuration file /opt/etc/raddb/modules/echo including configuration file /opt/etc/raddb/modules/etc_group including configuration file /opt/etc/raddb/modules/pap including configuration file /opt/etc/raddb/modules/realm including configuration file /opt/etc/raddb/modules/pam including configuration file /opt/etc/raddb/modules/always including configuration file /opt/etc/raddb/modules/exec including configuration file /opt/etc/raddb/modules/logintime including configuration file /opt/etc/raddb/modules/sql_log including configuration file /opt/etc/raddb/modules/smbpasswd including configuration file /opt/etc/raddb/modules/sradutmp including configuration file /opt/etc/raddb/modules/counter including configuration file /opt/etc/raddb/modules/ldap including configuration file /opt/etc/raddb/modules/expr including configuration file /opt/etc/raddb/modules/attr_filter including configuration file /opt/etc/raddb/modules/checkval including configuration file /opt/etc/raddb/modules/digest including configuration file /opt/etc/raddb/modules/detail including configuration file /opt/etc/raddb/modules/detail.log including configuration file /opt/etc/raddb/modules/mac2ip including configuration file /opt/etc/raddb/modules/detail.example.com including configuration file /opt/etc/raddb/modules/inner-eap including configuration file /opt/etc/raddb/modules/linelog including configuration file /opt/etc/raddb/modules/otp including configuration file /opt/etc/raddb/modules/perl including configuration file /opt/etc/raddb/modules/smsotp including configuration file /opt/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /opt/etc/raddb/modules/wimax including configuration file /opt/etc/raddb/modules/cui including configuration file /opt/etc/raddb/modules/dynamic_clients including configuration file /opt/etc/raddb/modules/ntlm_auth including configuration file /opt/etc/raddb/modules/opendirectory including configuration file /opt/etc/raddb/eap.conf including configuration file /opt/etc/raddb/sql.conf including configuration file /opt/etc/raddb/sql/mysql/dialup.conf including configuration file /opt/etc/raddb/policy.conf including files in directory /opt/etc/raddb/sites-enabled/ including configuration file /opt/etc/raddb/sites-enabled/default including configuration file /opt/etc/raddb/sites-enabled/inner-tunnel including configuration file /opt/etc/raddb/sites-enabled/control-socket main { allow_core_dumps = no } including dictionary file /opt/etc/raddb/dictionary main { prefix = "/opt" localstatedir = "/opt/var" logdir = "/var/log/radius" libdir = "/opt/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/opt/var/run/radiusd/radiusd.pid" checkrad = "/opt/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers radiusd: Loading Clients client localhost { ipaddr = 127.0.0.1 require_message_aut
Re: PEAP w/ freeradius to LDAP storing ntPassword not working
I put the debug into the form http://networkradius.com/freeradius.html and got the following for the first packet. My LDAP entry dn: uid=sding,ou=People,dc=fsu,dc=edu ntPassword: 771CFDFE02A8C15E15B3E0E4974602FA smbencrypt of my password, they are the same as in ldap query. LM Hash NT Hash FC6252923272ADAEC6EBE8776A153FEB771CFDFE02A8C15E15B3E0E4974602FA Radius debug interpreter output [ldap] ntPassword -> NT-Password == 0x3737314346444645303241384331354531354233453045343937343630324641 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? Could someone kindly shed me some light on this please? Thanks, Schilling Packet 0 rad_recv: Access-Request packet from host 127.0.0.1 port 35206, id=243, length=113 User-Name = "sding" NAS-IP-Address = 128.186.33.38 NAS-Port = 3 MS-CHAP-Challenge = 0x1f0a6708d52907ac MS-CHAP-Response = 0x0001b521c0b0b7e69a6109b6b5a5ed5724222914a679acbb5208 server ldap_ntpassword_1814 { # Executing section authorize from file /opt/etc/raddb/radiusd.conf +- entering group authorize {...} [ldap] performing user authorization for sding [ldap] expand: (&(uid=%u)(!(uid=lib-guest*))) -> (&(uid=sding)(!(uid=lib-guest*))) [ldap] expand: dc=fsu,dc=edu -> dc=fsu,dc=edu [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to mds.fsu.edu:389, authentication 0 [ldap] starting TLS [ldap] bind as cn=radius-proxy,ou=proxy-users,dc=fsu,dc=edu/y0dayad0 to mds.fsu.edu:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=fsu,dc=edu, with filter (&(uid=sding)(!(uid=lib-guest*))) [ldap] looking for check items in directory... [ldap] ntPassword -> NT-Password == 0x3737314346444645303241384331354531354233453045343937343630324641 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user sding authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok Found Auth-Type = MSCHAP WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. Failed to authenticate the user. Login incorrect: [sding] (from client localhost port 3) } # server ldap_ntpassword_1814 Using Post-Auth-Type Reject WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.6 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 243 to 127.0.0.1 port 35206 On Thu, Nov 4, 2010 at 2:41 PM, schilling wrote: > Hi All, > > We had ntPassword hash in our ldap server, now the authentication from > peap from windows computer and radtest -t mschap fail. Attached please > find the full debug information. My username is sding for the testing. > > Thanks, > > > [r...@auth2 opt]# ./sbin/radiusd -X > FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Nov 4 > 2010 at 13:04:32 > Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. > There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A > PARTICULAR PURPOSE. > You may redistribute copies of FreeRADIUS under the terms of the > GNU General Public License v2. > Starting - reading configuration files ... > including configuration file /opt/etc/raddb/radiusd.conf > including configuration file /opt/etc/raddb/clients.conf > including files in directory /opt/etc/raddb/modules/ > including configuration file /opt/etc/raddb/modules/policy > including configuration file /opt/etc/raddb/modules/acct_unique > including configuration file /opt/etc/raddb/modules/unix > including configuration file /opt/etc/raddb/modules/chap > including configuration file /opt/etc/raddb/modules/preprocess > including configuration file /opt/etc/raddb/modules/expiration > including configuration file /opt/etc/raddb/modules/mac2vlan > including configuration file /opt/etc/raddb/modules/mschap > including configuration file /opt/etc/raddb/modules/ippool > including configuration file /opt/etc/raddb/modules/files > including configuration file /opt/etc/raddb/modules/krb5 > including configuration file /opt/etc/raddb/modules/passwd > including configuration file /opt/etc/raddb/modules/radutmp > including configuration file /opt/etc/raddb/modules/attr_rewrite > includ
Re: PEAP w/ freeradius to LDAP storing ntPassword not working
I asked the ldap admin to change the format of the ntPassword to prepend with 0x, now radius -X get the right hash, but it still have no "known good" password was found in LDAP. Nevertheless, the authorization is ok. What is the right format to put in our ldap ntPassword attribute? Should I ignore the error and focus on the Auth-Type error? I will reinstall 2.1.0 with all default, and try it again. Thanks, Schilling [ldap] looking for check items in directory... [ldap] ntPassword -> NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user sding authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok On Thu, Nov 4, 2010 at 11:10 PM, Alan DeKok wrote: > schilling wrote: >> Found Auth-Type = EAP >> WARNING: Unknown value specified for Auth-Type. Cannot perform >> requested action. > > You have edited the default configuration and broken it. Don't do that. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/ freeradius to LDAP storing ntPassword not working - resolved
I am able to have peap/mschpv2 work with ldap nt hash. radtest -t mschap will not work for peap/mschapv2, the real windows supplicant, wireless access point will work. The format in ldap is not relevant, w/ or w/o the preceding 0x will work. The configuration I changed from default are the following clients.conf to add testing AP ip and secret eap.conf to add the real certificate thing etc. modules/ldap to add the ldap proxy account information. site-enabled/inner-tunnel - uncomment the ldap line in authorize authorize { # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap } Now whenever I try to have a virtual server for another instance, then it will have the same error as before. Then I copied the site-enabled/default content and put them within the virtual server, it's working again. I then try to reduce to the minimum necessary configuration, the following is for the virtual server to work server ldap_ntpassword_1814 { listen { type = auth ipaddr = * port = 1814 } listen { ipaddr = * port = 1815 type = acct } authorize { eap { ok = return } } authenticate { eap } } Thanks, Schilling On Fri, Nov 5, 2010 at 7:12 AM, schilling wrote: > I asked the ldap admin to change the format of the ntPassword to > prepend with 0x, now radius -X get the right hash, but it still have > no "known good" password was found in LDAP. Nevertheless, the > authorization is ok. What is the right format to put in our ldap > ntPassword attribute? Should I ignore the error and focus on the > Auth-Type error? > > I will reinstall 2.1.0 with all default, and try it again. > > Thanks, > > Schilling > > [ldap] looking for check items in directory... > [ldap] ntPassword -> NT-Password == 0x771cfdfe02a8c15e15b3e0e4974602fa > [ldap] looking for reply items in directory... > WARNING: No "known good" password was found in LDAP. Are you sure > that the user is configured correctly? > [ldap] user sding authorized to use remote access > [ldap] ldap_release_conn: Release Id: 0 > ++[ldap] returns ok > > > On Thu, Nov 4, 2010 at 11:10 PM, Alan DeKok wrote: >> schilling wrote: >>> Found Auth-Type = EAP >>> WARNING: Unknown value specified for Auth-Type. Cannot perform >>> requested action. >> >> You have edited the default configuration and broken it. Don't do that. >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging ntlm authentication
Hi, Could you please summarize what you did to log the output from ntlm_auth and MS_CHAP-Error? Even with configuration snippet will be greatly appreciated! Thanks, Schilling On Wed, Sep 8, 2010 at 5:02 PM, Garber, Neal wrote: >> Hmm... OK. The issue appears to be that the tunneled reply is saved >> for Access-Accept, but not Access-Reject. >> See "accept_vps" in rlm_eap_peap/*. Something similar needs to be >> done for reject, and for TTLS. > > You are a gentleman and a scholar! I have made the changes as you suggested > for PEAP and tested PEAP-MSCHAPv2. It works! I am now able to log the > output from ntlm_auth and MS-CHAP-Error. I'm also excited about the improved > TLS logging in 2.1.10. > > I will add the code for TTLS now. Unfortunately, I don't have a way to test > that as I don't believe eapol_test supports TTLS and we don't use it. I > suppose someone else can test it once I upload the patch (which I will do > after I make the TTLS changes). > > Thanks again Alan. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging ntlm authentication
Thanks. Could you please share the perl scripts and the corresponding configuration in radiusd.conf like authorize and post-auth section related to these logs? Schilling On Wed, Nov 10, 2010 at 10:04 PM, Garber, Neal wrote: >> Could you please summarize what you did to log the output from >> ntlm_auth and MS_CHAP-Error? > > Sure. I should mention that other options are available now that didn't > exist when I created the solution below... > > I have a PERL script that runs during authorize that obtains user/group or > machine/container permissions for the NAS in question from XML files to > determine whether the entity is authorized and it creates a Log-Data reply > attribute containing all non-sensitive request attributes. This is then > written to syslog during post-auth by another PERL script. > > Our help desk and others use a .Net application that I wrote to > display/filter the data from the current or past log files in a grid control. > The log contains specifics of the request, authorization and authentication > results/messages and reply attributes. > > Does that answer your question? > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible?
We got ntlm_auth against AD working for PEAP, we also got separate server for PEAP against ldap ntPassword hash. in latest etc/raddb/modules/mschap # The module can perform authentication itself, OR # use a Windows Domain Controller. This configuration # directive tells the module to call the ntlm_auth # program, which will do the authentication, and return # the NT-Key. Note that you MUST have "winbindd" and # "nmbd" running on the local machine for ntlm_auth # to work. See the ntlm_auth program documentation # for details. # # If ntlm_auth is configured below, then the mschap # module will call ntlm_auth for every MS-CHAP # authentication request. If there is a cleartext # or NT hashed password available, you can set # "MS-CHAP-Use-NTLM-Auth := No" in the control items, # and the mschap module will do the authentication itself, # without calling ntlm_auth. # # Be VERY careful when editing the following line! Is there any way to have a virtual server(1812/1813) for mschapv2-ntlm_auth-AD and another virtual server(1814/1815) for mschapv2-ldap ntPassword hash? Here is our situation: We have faculty/staff in active directory.So we are using ntlm_auth against AD for their network authentication. Faculty/staff will sign on with username, it will get directed to ntpm_auth against AD. We have student in ldap with ntPassword but not in AD. So we would like to have student sign on with usern...@foo.edu, so we can manipulate the radius configuration to direct usern...@foo.edu to use ldap ntPassword authentication. Is there anyway using freeradius to accomplish this? Thanks for any insight! Schilling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible?
Hi Alan, Thanks for the hint. Just to be sure. Both user(username and usern...@foo.edu) will use eap, mschapv2 to authenticate. But there is only one mschap module in etc/raddb/modules/? Regards, Schilling On Tue, Dec 7, 2010 at 3:41 PM, Alan DeKok wrote: > schilling wrote: >> We got ntlm_auth against AD working for PEAP, we also got separate >> server for PEAP against ldap ntPassword hash. >> >> ... >> Is there any way to have a virtual server(1812/1813) for >> mschapv2-ntlm_auth-AD and another virtual server(1814/1815) for >> mschapv2-ldap ntPassword hash? > > Yes. But I don't think that's necessary. > >> Here is our situation: >> We have faculty/staff in active directory.So we are using ntlm_auth >> against AD for their network authentication. Faculty/staff will sign >> on with username, it will get directed to ntpm_auth against AD. >> We have student in ldap with ntPassword but not in AD. So we would >> like to have student sign on with usern...@foo.edu, so we can >> manipulate the radius configuration to direct usern...@foo.edu to use >> ldap ntPassword authentication. >> >> Is there anyway using freeradius to accomplish this? > > Yes. And you don't need two virtual servers. > > 1) edit the "authorize" section to do... > 2) if people log in with "u...@foo.edu", run "ldap" > 3) else force "ntlm_auth" > > You might have to declare a "foo.edu" realm, but that shouldn't be an > issue. The config should really be about 10 lines changed from the default. > > Develop this by: > > 1) adding realm "foo.edu" > 2) enabling ldap > 3) checking authentication > > 4) adding "if not realm foo.edu" > 5) do ntlm_auth, as per the docs, wiki, etc. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Assign VLAN
We use perl $RAD_REPLY{'Service-Type'}= "Framed-User"; $RAD_REPLY{'Tunnel-Type'} = "VLAN"; $RAD_REPLY{'Tunnel-Medium-Type'} = "IEEE-802"; $RAD_REPLY{'Tunnel-Private-Group-Id'} = "resnet"; Schilling On Thu, Dec 9, 2010 at 10:17 AM, Alan Buxey wrote: > Hi, >> VLAN ID assignment should be done in Access-Accept, not in >> Access-Challenge. Try to compare Access-Accept sent by Cisco ACS and >> Access-Accept sent by FreeRADIUS. > > yes - ours is in post-auth session (run via PERL) > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible?
Got the whole setup working. So basically if users sign on with usern...@foo.edu with eap, they will be sent to ldap w/ ntpassword authorization. If users sign on with username only with eap, they will be sent to active directory w/ ntlm authentication. configuration changes are the following: etc/raddb/proxy.conf add realm foo.edu { } realm NULL { } /etc/raddb/site-enabled/inner-tunnel at the ldap line in authorize section add switch "%{Realm}" { case foo.edu { ldap #see /etc/raddb/module/mschap if ntpassword available, then do not use #NTLM_auth update control { MS-CHAP-Use-NTLM-Auth := NO } case NULL { mschap } } etc/raddb/module/mschap, etc/raddb/module/ntlm are all from integrate with Active Directory howto. Thanks for the great software, and can not wait to see the finish of the book. There are so many internals to be understood. Schilling On Wed, Dec 8, 2010 at 2:12 AM, Alan DeKok wrote: > schilling wrote: >> Just to be sure. Both user(username and usern...@foo.edu) will use >> eap, mschapv2 to authenticate. But there is only one mschap module in >> etc/raddb/modules/? > > So... configure another mschap module. > > See raddb/modules/files for examples of configuring two instances of > the same module. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Hi All, The group helped me configure the freeradius server to do mschapv2 against ldap w/ ntPassword if user sign on with usern...@foo.edu, and to do mschapv2 against AD w/ ntlm if user just sign on with username. Now I want to go one more step further - passing on some attributes back to NAS. Basically, I want to achieve If (ldap authorization) { if (ldap.employeeStatus = facstaff) { REPLY{'Service-Type'}= "Framed-User"; REPLY{'Tunnel-Type'} = "VLAN"; REPLY{'Tunnel-Medium-Type'} = "IEEE-802"; REPLY{'Tunnel-Private-Group-Id'} = "facstaff"; } else { # no ldap.employeeStatus attribute or ldap.employeeStatus != facstaff REPLY{'Service-Type'}= "Framed-User"; REPLY{'Tunnel-Type'} = "VLAN"; REPLY{'Tunnel-Medium-Type'} = "IEEE-802"; REPLY{'Tunnel-Private-Group-Id'} = "student"; } }else { # ntlm authentication REPLY{'Service-Type'}= "Framed-User"; REPLY{'Tunnel-Type'} = "VLAN"; REPLY{'Tunnel-Medium-Type'} = "IEEE-802"; REPLY{'Tunnel-Private-Group-Id'} = "facstaff"; } What's the easiest way to accomplish this? unlang? perl module? Where to start? Thanks, Schilling fromschilling to FreeRadius users mailing list dateTue, Dec 14, 2010 at 3:14 PM subject Re: One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible? mailed-by gmail.com Got the whole setup working. So basically if users sign on with usern...@foo.edu with eap, they will be sent to ldap w/ ntpassword authorization. If users sign on with username only with eap, they will be sent to active directory w/ ntlm authentication. configuration changes are the following: etc/raddb/proxy.conf add realm foo.edu { } realm NULL { } /etc/raddb/site-enabled/inner-tunnel at the ldap line in authorize section add switch "%{Realm}" { case foo.edu { ldap #see /etc/raddb/module/mschap if ntpassword available, then do not use #NTLM_auth update control { MS-CHAP-Use-NTLM-Auth := NO } case NULL { mschap } } etc/raddb/module/mschap, etc/raddb/module/ntlm are all from integrate with Active Directory howto. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Where should I put the perl script? I already have a perl module for another virtual server to use radscript. I also tried unlang in post-auth, like if ( %{User-Name} =~ /\@/ && fooEmployeeStatus =~ /active/i ) { update outer.reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } } I did map something to fooEmployeeStatus in ldap.attrmaps Bare %{...} is invalid in condition at: %{User-Name} =~ /\@/ && fooEmployeeStatus =~ /active/i ) /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel[276]: Errors parsing post-auth section. How can I reference User-Name in post-auth section of inner-tunnel? Thanks, Schilling On Thu, Jan 20, 2011 at 2:15 PM, Alan DeKok wrote: > schilling wrote: >>Basically, I want to achieve >> If (ldap authorization) { >> if (ldap.employeeStatus = facstaff) { >> REPLY{'Service-Type'} = "Framed-User"; >> REPLY{'Tunnel-Type'} = "VLAN"; >> REPLY{'Tunnel-Medium-Type'} = "IEEE-802"; >> REPLY{'Tunnel-Private-Group-Id'} = "facstaff"; >> } else { # no ldap.employeeStatus attribute or ldap.employeeStatus > > You can put pretty much that into a Perl script, or into "unlang". > >> What's the easiest way to accomplish this? unlang? perl module? Where to >> start? > > I'd write a Perl script first. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
I have the following questions for using perl though. Since I already use LDAP or ntlm_auth for inner-tunnel mschapv0 authentication. Will there any flag set so I can know whether LDAP or ntlm_auth is using for mschapv0 authentication in perl script? Also if if I need to check ldap/AD for certain attributes in perl script, Do I need to make another call to them via LDAP in the perl module? Where should I put the perl script in? Many Thanks, Schilling On Thu, Jan 20, 2011 at 2:15 PM, Alan DeKok wrote: > schilling wrote: >>Basically, I want to achieve >> If (ldap authorization) { >> if (ldap.employeeStatus = facstaff) { >> REPLY{'Service-Type'} = "Framed-User"; >> REPLY{'Tunnel-Type'} = "VLAN"; >> REPLY{'Tunnel-Medium-Type'} = "IEEE-802"; >> REPLY{'Tunnel-Private-Group-Id'} = "facstaff"; >> } else { # no ldap.employeeStatus attribute or ldap.employeeStatus > > You can put pretty much that into a Perl script, or into "unlang". > >> What's the easiest way to accomplish this? unlang? perl module? Where to >> start? > > I'd write a Perl script first. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Hi Alexander, I am trying to play with your configuration, basically I have a virtual server call auth as your example, and modified my eap.conf for peap to use auth. what's the config:local.MY.realm? My debug showed [suffix] Looking up realm "foo.edu" for User-Name = "sd...@foo.edu"^M [suffix] Found realm "foo.edu"^M [suffix] Adding Stripped-User-Name = "sding"^M [suffix] Adding Realm = "foo.edu"^M [suffix] Authentication realm is LOCAL.^M ++[suffix] returns ok^M ++? if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" )^M ?? Evaluating (outer.request:EAP-Message) -> TRUE^M expand: local.MY.realm -> local.MY.realm^M WARNING: No such configuration item local.MY.realm^M expand: %{config:local.MY.realm} -> ^M ? Evaluating (Realm != "%{config:local.MY.realm}" ) -> TRUE^M ++? if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) -> TRUE^M ++- entering if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) {...}^M expand: Realm is '%{Realm}' on Inside -> Realm is 'foo.edu' on Inside^M +++[outer.reply] returns ok^M +++[reject] returns reject^M ++- if (( outer.request:EAP-Message) && Realm != "%{config:local.MY.realm}" ) returns reject^M } # server auth^M Thanks, Schilling On Fri, Jan 21, 2011 at 3:49 AM, Alexander Clouter wrote: > schilling wrote: >> >> Where should I put the perl script? I already have a perl module for >> another virtual server to use radscript. >> >> I also tried unlang in post-auth, like >> if ( %{User-Name} =~ /\@/ && fooEmployeeStatus =~ /active/i ) { >> update outer.reply { >> Service-Type = "Framed-User" >> Tunnel-Type = "VLAN" >> Tunnel-Medium-Type = "IEEE-802" >> Tunnel-Private-Group-Id = "facstaff" >> } >> } >> > I cannot recommend more *not* to do your authorisation in the inner > tunnel, and instead to pass it back on out. There are a number of > reasons, clarity including, but especially you then can make use of the > reject path... > > Incase it helps, this is what we (a small-medium university in the > UK) do. In our eap block we set (we use TTLS, however it should be the > same for PEAP): > > eap { > ... > > ttls { > ... > copy_request_to_tunnel = no > use_tunneled_reply = yes > virtual_server = "auth" > } > > ... > } > > Then we have a 'auth' virtual server: > > server auth { > authorize { > if ((outer.request:EAP-Message)) { > update outer.request { > User-Name := "%{request:User-Name}" > } > update reply { > User-Name := "%{request:User-Name}" > } > } > > validate_username > > suffix > > if ((outer.request:EAP-Message) && Realm != > "%{config:local.MY.realm}") { > update outer.reply { > Reply-Message := "Realm is '%{Realm}' on > Inside" > } > reject > } > > # if the password is passed to us use it, otherwise yank it > from LDAP > if ((outer.request:Cleartext-Password)) { > update control { > Cleartext-Password := > "%{outer.request:Cleartext-Password}" > } > } > else { > ldap-login > > # some accounts are glitched and do not have a UP :( > if (ok && !(control:Cleartext-Password)) { > update outer.reply { > Reply-Message := "No eDirectory UP" > } > reject > } > } > > pap > chap > mschap > > update reply { > Auth-Type := "%{control:Auth-Type}" > } > } > > a
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Thanks a lot. More questions. If you want to lower the load (and authentication latency) on your AD servers then you might want to look at the following too: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html I am trying to follow your comment on this. I now realized we used to run eDir and now converted to iplanet directory. Anyway, do I still need to enable the compilation --with-edir option as stated below? My guess is yes since otherwise, I could not call ldap in the post-auth section in "auth" virtual server for eap. ##etc/raddb/modules/ldap # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # #edir_account_policy_check = no What I want to do is just to check some attribute in our ldap server, our structure is like the following: # extended LDIF # # LDAPv3 # base with scope subtree # filter: uid=sding # requesting: ALL # # sding, People, foo.edu dn: uid=sding,ou=People,dc=foo,dc=edu ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active uid: sding I would like to cache the following attribut/value in your example cache_ldap-userdn.pm, so I can use these values as logic to assign user to different VLANs. Can I do that in your pm? fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active Thanks, Schilling On Mon, Jan 24, 2011 at 4:38 PM, Alexander Clouter wrote: > schilling wrote: >> >> I am trying to play with your configuration, basically I have a >> virtual server call auth as your example, and modified my eap.conf for >> peap to use auth. >> >> what's the config:local.MY.realm? My debug showed >> > Phil pretty much covered it (and in a neater manner I was not aware > could be used, but it is obvious now seeing it...), I put all the 'local > site' specific details into a single configuration file (including > SQL/LDAP binding credentials) so that if I want to give someone a copy > of my config, ll I have to really do is trim the 'local' file and know I > have not leaked anything important. > > For example, just after '$INCLUDE clients.conf' in the main radiusd.conf > file I add '$INCLUDE LOCAL/local.conf' and that LOCAL/local.conf file > is: > > local.MY.hostname = iodine.it.soas.ac.uk > local.MY.addr.v6 = 2001:630:1b:6004:168c:9d91:127f:bb0c > local.MY.addr.v4 = 212.219.138.70 > > local.MY.realm = soas.ac.uk > > local.addr.v6 = 2001:630:1b:1001:624a::15bb > local.addr.v4 = 193.63.73.37 > > local.test.username = test-username > local.test.password = [ahem] > > local.ldap.server.1 = ldap1.soas.ac.uk > local.ldap.server.2 = ldap2.soas.ac.uk > local.ldap.username = cn=cheese,ou=is,o=tasty > local.ldap.password = NOM > > local.sql.server = sql.soas.ac.uk > local.sql.username = radius-username > local.sql.password = oh-so-very-secret > > local.cert.password = omg-do-not-tell-anyones > > [snipped] > > $INCLUDE ${confdir}/LOCAL/templates.conf > > $INCLUDE ${confdir}/LOCAL/policy.conf > > $INCLUDE ${confdir}/LOCAL/proxy.conf > > $INCLUDE ${confdir}/LOCAL/clients/ > > > Cheers > > -- > Alexander Clouter > .sigmonster says: Riches cover a multitude of woes. > -- Menander > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
I believe I resolved this. I used eapol_test to get all wanted result, and will try on real NAS later on. The following is what I did. Basically I followed Alexander's example, Modified peap section in eap.conf to use another virtual server "auth" instead of inner-tunnel virtual server. I almost blindly copied Alexander's example in auth server except I removed the reject for the realm checks. The ldap cache pm is not needed in my case since I do not query windows AD via LDAP to get their attributes. If I want to do ldap after ntlm against AD, then Alexander's pm might be needed. Then I want to map certain attribute like employeeStatus from our iPlanet ldap server to some radius attribute, so I can manipulate it in the post-auth section. I put the following line in etc/raddb/dictionary ATTRIBUTE My-Local-employeeStatus 3000string and the following line in etc/raddb/ldap.attrmap #FOO specific attributes replyItem My-Local-employeeStatus employeeStatus Without these two line addition, radius will complain unknown attribute. Then in the post-auth section #default will have no Tunnel attribute/value, instead, they will be configured on #the NAS to go to student VLANs. # this will cover my ldap ntPassword authentication/authorization #facstaff have employeeStatus set while student does not if ( "%{User-Name}" =~ /@/ && "%{reply:My-Local-employeeStatus}" ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } } #this will cover my AD ntlm auth, People in AD are all facstaff if ( "%{User-Name}" !~ /@/ ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } } In this way, people can map arbitrary attribute from ldap to radius, if not in dictionary/ldap.attrmap, then just defined your own. Then you have flexibility of using these attribute/value in your logic at post-auth section. Thanks all for the hints and help! Schilling On Tue, Jan 25, 2011 at 4:23 AM, Alexander Clouter wrote: > schilling wrote: >> >> Thanks a lot. >> >> More questions. >> >> If you want to lower the load (and authentication latency) on your AD >> servers then you might want to look at the following too: >> >> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html >> > First things first, did you get it all working? If not, start there. > When I say 'lower the load', all it does is reduce the number of EAP > packets from about 12 to 4 that are needed for a session resumption; but > also means you only need two LDAP lookups rather that 12. So your AD > load will go from 0.01 to 0.01 or something. I am bigging > up the numbers more than it is worth (although the latency bit is > possibly handy for roaming devices). > >> I am trying to follow your comment on this. I now realized we used to >> run eDir and now converted to iplanet directory. Anyway, do I still >> need to enable the compilation --with-edir option as stated below? My >> guess is yes since otherwise, I could not call ldap in the post-auth >> section in "auth" virtual server for eap. >> ##etc/raddb/modules/ldap >> # Un-comment the following to disable Novell >> # eDirectory account policy check and intruder >> # detection. This will work *only if* FreeRADIUS is >> # configured to build with --with-edir option. >> # >> #edir_account_policy_check = no >> >> What I want to do is just to check some attribute in our ldap server, >> our structure is like the following: >> # extended LDIF >> # >> # LDAPv3 >> # base with scope subtree >> # filter: uid=sding >> # requesting: ALL >> # >> >> # sding, People, foo.edu >> dn: uid=sding,ou=People,dc=foo,dc=edu >> ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE >> fooEduPSHRdeptName: Information Technology Service (ITS) >> fooEduPSHRDepartmentNumber: 123456 >> fooEduEmployeeStatus: Active >> employeeStatus: Active >> uid: sding >> > The eDir bit's are probably not needed as you are using mschap with > those 'ntPassword' attributes. eDir has 'universal password' which is a >
Re: Active Directory and authorize section
I was thinking about this too. Do we need separate ldap call to retrieve certain attributes from AD, and then use ntlm_auth for authentication? Schilling On Wed, Feb 2, 2011 at 10:23 AM, Brett Littrell wrote: > Hey Brian, > > Very interesting, I would have thought Authenticate came first then > Authorize since you need to authenticate in order to be authorized. If that > is the case and say you pull the vlan ids from ldap, or some other > directory, how would Freeradius know what those values are prior to knowing > who you are? Or are you saying that the way the program loads the config > the authorize section simply gets read first? > > Brett Littrell > Network Manager > MUSD > CISSP, CCSP, CCVP, MCNE > > > >>> On Wednesday, February 02, 2011 at 12:05 AM, in message < > 20110202080557.ga2...@talktalkplc.com>, Brian Candler > wrote: > I'd say that's not exactly true, or is not very clear anyway. > > (1) freeradius always runs the authorize section first, then then > authenticate section > > (2) the authorize section is where you do any sort of database lookups > needed, both to determine the reply attributes to send (in case the user > does authenticate successfully), and at the same time to find any > information needed to perform user authentication, such as the expected > password (Cleartext-Password in the control list) > > (3) the authenticate section normally uses that extra info to perform the > authentication. If it fails, the reply attributes are stripped out and a > reject is sent. > > Using ntlm_auth is a special case, in that it can authenticate without > knowing the password: it delegates the whole authentication to a different > database. > > That's fine, but if you don't have anything in your authorize section then > you'll just be sending back an empty "Access-Accept" without any reply > attributes. In some applications this may be sufficient. > > This sort of delegation is rather like proxying, and indeed, you can run > IAS > on your AD box and just proxy to it. > > IAS has a limitation of 50 RADIUS client IPs (unless you have Windows > Server > Enterprise edition), but fortunately each freeradius server you put in > front > of it only counts as one client :-) > > Regards, > > Brian. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC Authentication - Bad Idea?
We implemented MAC authentication with netreg at http://netreg.sourceforge.net. We used DHCP/DNS/HTTP piece from netreg. It's essence is DHCP/DHS/HTTP on one server. Basically there will be a vlan we called sandbox with ip helper-address pointing to sandbox.foo.edu. The DHCP is configured to have DNS pointing to sandbox.foo.edu too. bind is configured to resolve everything to sandbox.foo.edu. HTTP is configured with dynamic webpage as explained later on. The logic is like the following if (mac not in your database ) { send back a sandbox vlan #user open any webpage will get redirected to single server } else if (mac in your database) { if (user blocked ) { sendback sandbox VLAN } send back regular vlan name with additional attribute as you want } On the web server, if you are here, you are either unregistered or registered but blocked. We have dynamic webpage to do the following things #mac not registered #user webpage to get IP, then use IP to get MAC from DHCP lease file if (MAC not in database ) { webportal of login with (ldap, ssh, ftp) backend, mac address will be populated in the database. } #mac in database but blocked else { display the mac is blocked and call helpdesk } We use this to gain a lot of knowledge/experience on dot1x, and are now moving toward 802.1x. Schilling On Wed, Feb 2, 2011 at 2:15 PM, Jim Rice wrote: > Thanks, Alan. > > The MikroTik routers can be configured to send a variety of MAC address > formats, the default is XX:XX:XX:XX:XX:XX > > It can also be set to include the same MAC address in the Password field, > instead of NULL, but I do not see any added benefit to that. > >>> but had to set Auth-Type := Accept. >> >> Hmm... that's probably not the best way to do it, >> but if it works... > > Is there a best (or better) way? > > Do I need to be concerned with MAC spoofing? > > Thanks again, > > Jim > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + LDAP for WPA-Enterprise
If you want to use ldap as authentication source, either you have plaintext password in ldap or ntPassword hash stored in ldap. You can search the list of my name, I just got both eap/peap against Active Directory w/ ntlm_auth and against ldap w/ ntPassword recently. I posted my configuration on the list. I am using peap because of we don't want to install a third party supplicant. Schilling On Fri, Feb 11, 2011 at 3:44 PM, Gary Gatten wrote: > PS: We also use ntlm_auth for 802.1x. All the docs I read and the comments > within the various FR files say EAP and LDAP won't work - for Authentication. > Authorization should be fine. > > G > > > -Original Message- > From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org > [mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On > Behalf Of Max Schröder > Sent: Friday, February 11, 2011 2:31 PM > To: FreeRadius users mailing list > Subject: Re: Freeradius + LDAP for WPA-Enterprise > > Gary Gatten wrote: >> You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play >> well together. Remove the "Auth Type LDAP" - for now. >> > If I remove that the radtest failed for a LDAP-User. It returns a > rejected Message. >> As for accomplishing your goal, unfortunately others will have to help you >> with that - I don't know FR/LDAP/EAP well enough. But, I don't THINK you >> can authenticate EAP requests against LDAP directly because of the "no clear >> text password" issue. >> > How else would you authenticate a WPA(2)-Enterprise with Radius using > LDAP-Accounts? > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > > "This email is intended to be reviewed by only the intended recipient > and may contain information that is privileged and/or confidential. > If you are not the intended recipient, you are hereby notified that > any review, use, dissemination, disclosure or copying of this email > and its attachments, if any, is strictly prohibited. If you have > received this email in error, please immediately notify the sender by > return email and delete this email from your system." > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hash username or mac address to assign user to different vlan
Hi All, I get dynamic VLAN assignment working in post-auth section with help/hints from a lot of list members. Now I want to do one more steps. I would like to hash the username or mac-address to distribute users to different VLANs. The idea is to use freeradius to spread the load on different smaller subnets to reduce the broadcast in bigger VLANs. For example I want to do the following if ( "%{User-Name}" !~ /@/ ) { if ( %{User-Name}%2 == 0 ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff0" } elsif ( %{User-Name}%2 == 1 ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff1" } } } Will I be able to do this in the post-auth with unlang? Thanks, Schilling -- Forwarded message -- From: schilling Date: Tue, Jan 25, 2011 at 10:19 AM Subject: Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP To: FreeRadius users mailing list I believe I resolved this. I used eapol_test to get all wanted result, and will try on real NAS later on. The following is what I did. Basically I followed Alexander's example, Modified peap section in eap.conf to use another virtual server "auth" instead of inner-tunnel virtual server. I almost blindly copied Alexander's example in auth server except I removed the reject for the realm checks. The ldap cache pm is not needed in my case since I do not query windows AD via LDAP to get their attributes. If I want to do ldap after ntlm against AD, then Alexander's pm might be needed. Then I want to map certain attribute like employeeStatus from our iPlanet ldap server to some radius attribute, so I can manipulate it in the post-auth section. I put the following line in etc/raddb/dictionary ATTRIBUTE My-Local-employeeStatus 3000string and the following line in etc/raddb/ldap.attrmap #FOO specific attributes replyItem My-Local-employeeStatus employeeStatus Without these two line addition, radius will complain unknown attribute. Then in the post-auth section #default will have no Tunnel attribute/value, instead, they will be configured on #the NAS to go to student VLANs. # this will cover my ldap ntPassword authentication/authorization #facstaff have employeeStatus set while student does not if ( "%{User-Name}" =~ /@/ && "%{reply:My-Local-employeeStatus}" ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } } #this will cover my AD ntlm auth, People in AD are all facstaff if ( "%{User-Name}" !~ /@/ ) { update reply { Service-Type = "Framed-User" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "facstaff" } } In this way, people can map arbitrary attribute from ldap to radius, if not in dictionary/ldap.attrmap, then just defined your own. Then you have flexibility of using these attribute/value in your logic at post-auth section. Thanks all for the hints and help! Schilling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hash username or mac address to assign user to different vlan
Could you share your configuration and perl script? So I can learn from it? I am thinking of use ldap status to decide the pool, then hashing mac address of the client to get different VLAN. This is actually similar to how some vendor VLAN pool works, except we are not trying to get same result as its hash algorithm. And we already have the flexibility in radius long long time ago. Schilling On Fri, Feb 18, 2011 at 9:16 AM, Dean, Barry wrote: > I have been asked to do just this and I am working on the solution now. > > We wanted to use multiple pools of VLANs/Subnets and assign "Staff" to one > pool and "Students"# to the other. Then to select a VLAN within the pool, use > a hashing function and select a VLAN. > > One concern I have is when is post-auth called? Would it get called for > interim authentication requests? Because I don't want to be changing the VLAN > mid sessions, which could potentially happen with a non-deterministic hash! > > In my tests I have been creating a hash from the 'State' attribute which > seems reasonably random and gives me a good even share across the VLANs in my > pools, but would be completely non-deterministic. (My tests are not real > world so this could prove untrue). > > A hash on User-Name may be more deterministic, but may not give me the > balance I need. > > Students and Staff have different format usernames so I am sure this would > result in un-balanced sharing across the VLAN pools. And we have un-even > numbers of students on different courses and their usernames start the same. > > I am using a perl module called within post-auth that does some LDAP lookups > as well to find the type of the user. > > Nothing is set in stone yet and I am still experimenting, I feel sure > whatever method I use will end up being a "I wouldn't start from here" > solution in 12 months time! > > # Staff in our world means Staff + Research Postgrads and Students are > Students + Taught Postgrads... > > On 17 Feb 2011, at 23:52, Kenneth Marshall wrote: > >> On Thu, Feb 17, 2011 at 02:26:14PM -0800, Brett Littrell wrote: >>> I agree breaking the network up into separate VLANs then routing between >>> them would help with broadcasting but I do not agree that hashing values >>> and then using those hashing values as we randomizing agents to distribute >>> vlans. There has to be a more elegant way to do this, I believe there is. >>> >>> First off by randomizing what network a host is going to be on is going >>> to be extremely confusing when you try and troubleshoot other issues, for >>> instance a virus outbreak, now you have to figure out who is on what subnet >>> and who is sending what etc.. I can think of a lot of other issues that >>> would cause headaches, suffice to say it is not a good idea. >>> >>> The better way to do this is to break people up by some logical means, >>> such as Accounting, testing, personnel etc. Then create groups and assign >>> group ids based on the users in those groups. This gives the benefit of >>> segmenting and securing like minded traffic as well, maybe accounting can >>> only talk to accounting, personnel can only talk to these servers, or those >>> servers etc. Of course you would have to route to other subnets if you >>> want them to talk but now you have control to say only this group of people >>> can talk to that group of people and not just open it up for everyone. >>> >>> Even if you assign users by Group1, Group2, Group3 and you have a virus >>> outbreak now you can at least look at it and say right away all Group1 >>> subnet is crazy and have a list of all the stations/users in that group. >>> >>> Anyway, that is my 2 cents on the whole deal. >>> >>> >>> Brett Littrell >>> Network Manager >>> MUSD >>> CISSP, CCSP, CCVP, MCNE >> >> I agree with you that random VLAN selection is not a good idea and it >> wrecks havoc with most clients too. However, the problem we ran into was >> balancing the usage of all of the VLANS to get both good performance and >> minimize infrastructure costs. This can be done by assigning to groups >> and then placing in the VLAN according to that group, but then you have >> the problem of balancing the assignment to the named groups. In the end, >> we used the hash function because it would deterministically assign a >> user to a VLAN and balanced the hardware usage reasonably well. We used >> the simple crc32, but a better hash function would distribute them even
Re: Hash username or mac address to assign user to different vlan
what's your biggest subnet for the wireless? How do you deal with excessive broadcast protocols? Thanks, Schilling On Fri, Feb 18, 2011 at 9:26 AM, Phil Mayers wrote: > On 18/02/11 14:16, Dean, Barry wrote: >> >> I have been asked to do just this and I am working on the solution >> now. >> >> We wanted to use multiple pools of VLANs/Subnets and assign "Staff" >> to one pool and "Students"# to the other. Then to select a VLAN >> within the pool, use a hashing function and select a VLAN. >> >> One concern I have is when is post-auth called? Would it get called >> for interim authentication requests? Because I don't want to be >> changing the VLAN mid sessions, which could potentially happen with a >> non-deterministic hash! > > There is no such thing as an "interim" authentication request. > > Post-auth is called after every auth. > > I suspect you are referring to feature(s) on the switch(es) you use where it > will "re-auth" the client after X minutes. That's just another, separate > authentication as far as FreeRadius is concerned. > >> >> In my tests I have been creating a hash from the 'State' attribute > > That's a very bad idea. It will change mid-session and cause you huge > problems. > > We do pervasive VLAN assignment on a large scale here, and my advice is the > same as others in the thread - don't use a hash value. Just map a user or > group to a vlan. > > If you need to "balance the numbers of users on a vlan" (why?) then you > should log the vlan assignments to SQL and run a post-processing script that > changes the assignment to keep the "load balanced". > > Personally we just run big subnets to reduce the waste of IP space and > configuration overhead. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hash username or mac address to assign user to different vlan
I can explain my environment. We are migrating from traditional captive portal to new 802.1x WPA2-Enterprise, from fat AP to controller based wireless architecture, Wireless mobility comes into play too. At the same time, how to maintain the traditional source-based IP ACL/Firewall? We already implemented MPLS VPN based network virtualization, so we want to utilize both MPLS VPN and newer wireless architecture. That's why. Another thing is big VLAN broadcast scalability. So we want to chop off users in different VLANs at first by hash, later will try to implement group based VLAN assignment. Also, we agree with the consensus of use eap/peapv0 for 802.1x. Just no hassle to install third party supplicant to M$ computers. And it could work with either AD or LDAP with ntPassword hash. Schilling On Fri, Feb 18, 2011 at 9:36 AM, Phil Mayers wrote: > On 18/02/11 14:29, schilling wrote: >> >> Could you share your configuration and perl script? So I can learn from >> it? >> I am thinking of use ldap status to decide the pool, then hashing mac >> address of the client to get different VLAN. > > It seems like a lot of people are suddenly wanting to do this. > > Can any of you explain why, and why now? Just curious. It seems odd that so > many people want to do it, all at the same time. > > Did an article appear online or in a magazine or something ;o) > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
different perl module in different virtual server result different w/ or w/o -X
Hi All, I am running 2.1.6. I have modules/perl_resnet like perl perl_resnet {...} for virtual server resnet, which will put mac-address in sandbox vlan if not in database. and I have modules/perl_foosecure perl perl_foosecure{...} for virtual server auth used as inner-tunnel for eap, which will put u...@foo.edu in one of student0[1234] vlan if ldap returns status as student. When I run radiusd -X, u...@foo.edu will be put in one of student0[1234] every time. But if I run normal radiusd w/o -X flag, u...@foo.edu will sometimes be put in sandbox vlan, and sometimes be put in one of student0[1234] vlan. [root@auth1 raddb]# perl -V | grep -i multip usethreads=define use5005threads=undef useithreads=define usemultiplicity=define Compile-time options: MULTIPLICITY PERL_IMPLICIT_CONTEXT Any insight? Schilling - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to assign vlan / manage different user groups
We are using wlan - freeradius - ldap too. In the freeradius, you check ldap whether username is in student or nonstudent group, then you need to send back either IETF 64 65 81 or some vendor specific attributes On the WLAN controller, you then either use the IETF 64 65 81 or vendor specific attributes to drop the user session in the VLAN. Schilling On Tue, Apr 5, 2011 at 9:07 AM, Götz Reinicke - IT-Koordinator wrote: > Hi, > > may be someone can point me into the right direction: > > we do have a new wlan - freeradius - ldap setup and want to assign two > main usergroups to two main wlans. > > Each wlan has an own vlan. > > We use cisco switches and APs and got a wlan controller. > > So far we do have different SSIDs and all users can access both WLANs > with their username/password stored in our ldap. > > Now we'd like students only to be able to access the students WLAN and > employees to access there WLAN. > > My question: Where is the point to start to configure such a setup? > > I think, somewhere there must be some sort of check if the user > assceesing the e.g. student wlan is in the primary posixgroup student. > > Or do I have to 'send' the VLAN ID to the network devices? > > > Thanks for any hint and best regards > > Götz Reinicke > -- > Götz Reinicke > IT-Koordinator > > Tel. +49 7141 969 420 > Fax +49 7141 969 55 420 > E-Mail goetz.reini...@filmakademie.de > > Filmakademie Baden-Württemberg GmbH > Akademiehof 10 > 71638 Ludwigsburg > www.filmakademie.de > > Eintragung Amtsgericht Stuttgart HRB 205016 > Vorsitzende des Aufsichtsrats: > Prof. Dr. Claudia Hübner > > Geschäftsführer: > Prof. Thomas Schadt > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating against Win2k8r2 without ntlm_auth
Could we extend the AD schema with another accessible ntPassword hash, and thus use LDAP against AD for PEAP/MSCHAP? Schilling On Sun, Apr 24, 2011 at 4:33 AM, Phil Mayers wrote: > On 04/24/2011 12:48 AM, Thomas Smith wrote: > >> While Samba 3.5 and Likewise 6 fixed the problems authenticating >> against Win2k8r2, Likewise removed support for Samba/Winbind in their >> 6.x series product (they included full support for Samba/Winbind in >> their 5.x series product)--they now use their own libraries to provide >> "winbind" functionality. The result of this is that the Samba-included >> ntlm_auth no longer works (and Likewise doesn't provide a comparable >> replacement)--since my FreeRADIUS install was using ntlm_auth for AD >> authentication and authorization, it is no longer working. > > If you're using Samba/ntlm_auth, you're probably doing PEAP/MSCHAP, in which > case you have precisely one option - continuing to use Samba/ntlm_auth. > > Neither kerberos nor LDAP against AD (nor any other method) can be used to > process MSCHAP authentications. > > If Likewise are going to replace bits of the Samba stack, they should > provide compatible bits. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Mac Auth - Timeout Connecting WiFi
Any ACL on AP network which might block your debian server IP but not your ubuntu IP? Schilling On Wed, Apr 27, 2011 at 3:59 PM, John Corps wrote: > Hello, > I had freeradius setup and running perfectly on an ubuntu test machine and > now I have done the exact same setup and configuration on a new debian > machine with the addition of daloradius for easy configuration by other > members of the team. I am running latest freeradius 2.1.10. The ubuntu > machine was working perfect for mac auth but now this setup is not working. > I try and connect to the WiFi and it always times out. Putting freeradius in > debug mode shows nothing useful, it shows that it's sending the access > accept packet but the connection times out still. Here is a sample debug, if > anyone can be of any assistance it would be great. For reference, I change > my AP back to the ubuntu server to do the radius mac auth and connect to the > wifi and it sends the access accept and connects right away. Maybe I am > missing something hereI don't think its an issue using sql as the ubuntu > machine isn't using sql but if i disable sql and use exact config etc the > time out still occurs. > Ready to process requests. > rad_recv: Access-Request packet from host 192.168.1.55 port 1030, id=0, > length=160 > User-Name = "00-1E-58-F9-A6-94" > User-Password = "NOPASSWORD" > NAS-IP-Address = 192.168.1.55 > Called-Station-Id = "00-20-B0-E6-12-A6:TEST" > Calling-Station-Id = "00-1E-58-F9-A6-94" > NAS-Port-Type = Wireless-802.11 > Connect-Info = "CONNECT 11Mbps 802.11b" > Message-Authenticator = 0x946f027f36890c6b16ec5b4132e8e1d9 > # Executing section authorize from file > /etc/freeradius/sites-enabled/default > +- entering group authorize {...} > ++[preprocess] returns ok > ++[chap] returns noop > ++[mschap] returns noop > ++[digest] returns noop > [suffix] No '@' in User-Name = "00-1E-58-F9-A6-94", looking up realm NULL > [suffix] No such realm "NULL" > ++[suffix] returns noop > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > ++[files] returns noop > [sql] expand: %{User-Name} -> 00-1E-58-F9-A6-94 > [sql] sql_set_user escaped user --> '00-1E-58-F9-A6-94' > rlm_sql (sql): Reserving sql socket id: 3 > [sql] expand: SELECT id, username, attribute, value, op FROM > radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id > -> SELECT id, username, attribute, value, op FROM radcheck > WHERE username = '00-1E-58-F9-A6-94' ORDER BY id > [sql] User found in radcheck table > [sql] expand: SELECT id, username, attribute, value, op FROM > radreply WHERE username = '%{SQL-User-Name}' ORDER BY id > -> SELECT id, username, attribute, value, op FROM radreply > WHERE username = '00-1E-58-F9-A6-94' ORDER BY id > [sql] expand: SELECT groupname FROM radusergroup WHERE > username = '%{SQL-User-Name}' ORDER BY priority -> SELECT > groupname FROM radusergroup WHERE username = > '00-1E-58-F9-A6-94' ORDER BY priority > rlm_sql (sql): Released sql socket id: 3 > ++[sql] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > [pap] WARNING: Auth-Type already set. Not setting to PAP > ++[pap] returns noop > Found Auth-Type = Accept > Auth-Type = Accept, accepting the user > # Executing section post-auth from file > /etc/freeradius/sites-enabled/default > +- entering group post-auth {...} > [sql] expand: %{User-Name} -> 00-1E-58-F9-A6-94 > [sql] sql_set_user escaped user --> '00-1E-58-F9-A6-94' > [sql] expand: %{User-Password} -> NOPASSWORD > [sql] expand: INSERT INTO radpostauth (username, > pass, reply, authdate) VALUES ( > '%{User-Name}', > '%{%{User-Password}:-%{Chap-Password}}', > '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth > (username, pass, reply, authdate) VALUES ( > '00-1E-58-F9-A6-94', > 'NOPASSWORD', 'Access-Accept', '2011-04-27 > 15:33:47') > rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth > (username, pass, reply, authdate) > VALUES ( '00-1E-58-F9-A6-94', > 'NOPASSWORD', 'Access-Accept', '2011-04-27 > 15:33:47') > rlm_sql (sql): Reserving sql socket id: 2 > rlm_
Re: Client authenticated but no internet connection
On Dec 29, 2005, at 8:39 AM, LeRoy DeVries wrote: On Thursday 29 December 2005 04:16, mfred wrote: Hi, The clients can login (through chillispot login page) and authenticate via the radius server and mysqldb. So they have an IP like 192.168.182.5. But even if they get authenticated they still cannot connect to the internet. And I have no idea why. Any hints ? TIA mfred Check your iptables and firewall settings. Make sure you have your firewall turned off at the router. Chillispot has a thing about firewalls at the router. At least thats what I have found. I would beg to differ. You should not be turning off firewall rules at the gateway. If properly set up you can use iptables on the Chillispot server and still work through an existing firewall. I have this working in multiple locations. Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: IP address assignment
On Oct 13, 2005, at 10:44 PM, Infusino, Michael - ADP Dataphile wrote: Very nice. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 13, 2005 11:41 PM To: FreeRadius users mailing list Subject: Re: IP address assignment Infusino, Michael - ADP Dataphile wrote: I am using radius to authenticate access from VPN. Would anyone now how to record the IP address the user is assigned after they log in. Michael How does a little dynamic dns strike you? Make sure to actualy read below and attached scripts and setup a DNS key. --radiusd.conf- modules section exec ddns_update { wait = no program = "/usr/local/sbin/radius-dns-update.sh" input_pairs = request packet_type = Accounting-Request shell_escape = yes } end modules instantiate section--- ddns_update ---end section Does everyone top post now? How do you read a thread? Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html