AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
OK, I think I found out where things are going wrong.
In my Radius -X log I noticed the Starting - reading configuration files is
short, compared to those of others. What is missing is actually:
including files in directory /usr/local/etc/raddb/modules/
(followed by
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/unix
including configuration
file/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file
/usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file
/usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/perl)
This is all not in my freeradius -X logs and is in the logs of others.
Now where do I enable/disable loading the modules folder?
-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+chris.schaatsbergen=aleo-
solar...@lists.freeradius.org [mailto:freeradius-users-
bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im
Auftrag von Schaatsbergen, Chris
Gesendet: Freitag, 11. Februar 2011 19:32
An: FreeRadius users mailing list
Betreff: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to
AD
So far I have done everything there exactly as described with the
same outcome.
No.
If you get the error Failed to link to module
'rlm_ntlm_auth':...,
it means you did something *other* than what is on the web page.
This is I believe indeed the missing piece, problem is I cannot
find
it in your web page.
It's the exec ntlm_auth { ... text.
Add it, *and* the ntlm_auth entry in the authenticate section.
The ntlm_auth file with the exec ntlm_auth text has been in the module
folder since I started working on this (actually I believe it was
already there as it is has been added in 2.1.8), about a week ago. It
is also what I have indicated both in my original post and in the
repost I made today. The file
Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Schaatsbergen, Chris wrote: OK, I think I found out where things are going wrong. In my Radius -X log I noticed the Starting - reading configuration files is short, compared to those of others. What is missing is actually: including files in directory /usr/local/etc/raddb/modules/ ... Now where do I enable/disable loading the modules folder? radiusd.conf? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
That is clear, but it seems it is missing in the Lenny Package somehow as
http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html
has exactly the same problem as me, no modules folder being read causing the
ntlm_auth not being recognized as module.
Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it
be?
The beginning part of our current radiusd.conf:
# -*- text -*-
##
## radiusd.conf -- FreeRADIUS server configuration file.
##
## http://www.freeradius.org/
## $Id: radiusd.conf.in,v 1.272 2008/04/26 15:14:33 aland Exp $
##
##
#
# Read man radiusd before editing this file. See the section
# titled DEBUGGING. It outlines a method where you can quickly
# obtain the configuration you want, without running into
# trouble.
#
# Run the server in debugging mode, and READ the output.
#
# $ radiusd -X
#
# We cannot emphasize this point strongly enough. The vast
# majority of problems can be solved by carefully reading the
# debugging output, which includes warnings about common issues,
# and suggestions for how they may be fixed.
#
# There may be a lot of output, but look carefully for words like:
# warning, error, reject, or failure. The messages there
# will usually be enough to guide you to a solution.
#
# If you are going to ask a question on the mailing list, then
# explain what you are trying to do, and include the output from
# debugging mode (radiusd -X). Failure to do so means that all
# of the responses to your question will be people telling you
# to post the output of radiusd -X.
##
#
# The location of other config files and logfiles are declared
# in this file.
#
# Also general configuration for modules can be done in this
# file, it is exported through the API to modules that ask for
# it.
#
# See man radiusd.conf for documentation on the format of this
# file. Note that the individual configuration items are NOT
# documented in that man page. They are only documented here,
# in the comments.
#
# As of 2.0.0, FreeRADIUS supports a simple processing language
# in the authorize, authenticate, accounting, etc. sections.
# See man unlang for details.
#
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
# Location of config and logfiles.
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/freeradius
# Should likely be ${localstatedir}/lib/radiusd
db_dir = $(raddbdir)
-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+chris.schaatsbergen=aleo-
solar...@lists.freeradius.org [mailto:freeradius-users-
bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im
Auftrag von Alan DeKok
Gesendet: Montag, 14. Februar 2011 12:40
An: FreeRadius users mailing list
Betreff: Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch
to AD
Schaatsbergen, Chris wrote:
OK, I think I found out where things are going wrong.
In my Radius -X log I noticed the Starting - reading configuration
files is short, compared to those of others. What is missing is
actually:
including files in directory /usr/local/etc/raddb/modules/
...
Now where do I enable/disable loading the modules folder?
radiusd.conf?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. shrug I don't run Lenny, so I can't say any more. Where can I find a proper radiusd.conf? Have you tried the 2.1.10 tar file on freeradius.org? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
I think freeradius is a great piece of software and I will certainly continue to use it. I am also very happy with the great documentation that can be found, both the wiki and Alan's website are an awesome source of very good information. The support community here is also very active, which is a great thing. But had someone with freeradius knowledge taken the time to look at the freeradius -X logs I (and David Dumortier) supplied with our questions, they would have seen the problem right away I suppose, in both our cases. Probably there have been too many typical n00b users who asked questions after not following the (clear) documentation properly, but please understand we are not all like that. This has caused me an enormous load of stress and has cost me about 3 days (and one night sleep), and I assume it has caused you a certain amount of stress as well, and it could have been so much more satisfying had it been checked just a little bit more. Of course, you are not responsible for every package being produced and I do not know yet how this all works as I did not install our freeradius server myself (unfortunately). But in our cases, the users where not to blame, other than using an available and hopefully supported package. I will have a new lenny server installed with just the 2.1.10 debian backport package on it (no older versions) to see if that comes with a proper radiusd.conf file. If so then my problem is caused by an older package being installed earlier and new users will not be bothered by it. Again, I really think freeradius is a great piece of software, there is plenty of good documentation and it has an awesome support community here. So I will certainly continue to use freeradius as our authentication server. But please, if a user says he followed the instructions to the letter, give them the benefit of the doubt and see if something else is going wrong. -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 12:57 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. shrug I don't run Lenny, so I can't say any more. Where can I find a proper radiusd.conf? Have you tried the 2.1.10 tar file on freeradius.org? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Hi, That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? from the main source www.freeradius.org get the 2.1.10 tarball , extract it and look at what the config should be like. I wonder if lenny is requiring you to install other packages for purpose/facilities alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Thanks! Actually in this case I was too early writing the mail (because I was
rather annoyed), something I should not allow myself to happen. The
radiusd.conf file is documented on the Wiki site (though the link there that
should point to the latest version is not working as it points to the currently
unexisting
http://github.com/alandekok/freeradius-server/blob/stable/raddb/radiusd.conf).
I found the missing piece:
$INCLUDE ${confdir}/modules/
Which should be in (the top of) the modules section.
With that addition freeradius starts without error messages so I can continue
Alan DeKoks (excellent) description how to enable AD authentication.
-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+chris.schaatsbergen=aleo-
solar...@lists.freeradius.org [mailto:freeradius-users-
bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im
Auftrag von Alan Buxey
Gesendet: Montag, 14. Februar 2011 13:48
An: FreeRadius users mailing list
Betreff: Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch
to AD
Hi,
That is clear, but it seems it is missing in the Lenny Package
somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-
January/msg00192.html has exactly the same problem as me, no modules
folder being read causing the ntlm_auth not being recognized as module.
Where can I find a proper radiusd.conf? Or where in the radiusd.conf
should it be?
from the main source
www.freeradius.org
get the 2.1.10 tarball , extract it and look at what the config should
be like.
I wonder if lenny is requiring you to install other packages for
purpose/facilities
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
On 2011/02/14 01:50 PM, Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? Looking at config below... /usr/local/etc/raddb/modules/ Lenny package does NOT put stuff in /usr/local/ Seems you have two versions of freeradius on your system. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Schaatsbergen, Chris wrote:
Thanks! Actually in this case I was too early writing the mail (because I was
rather annoyed), something I should not allow myself to happen. The
radiusd.conf file is documented on the Wiki site (though the link there that
should point to the latest version is not working as it points to the
currently unexisting
http://github.com/alandekok/freeradius-server/blob/stable/raddb/radiusd.conf).
That should point to radiusd.conf.in.
I found the missing piece:
$INCLUDE ${confdir}/modules/
Which should be in (the top of) the modules section.
With that addition freeradius starts without error messages so I can continue
Alan DeKoks (excellent) description how to enable AD authentication.
Most of the howtos assume you're running a recent version of the
server. Some systems have *old* versions of the server. We're unable
to maintain copies of the documentation for each version of the server.
This makes life harder for the average admin, but we have to draw the
line somewhere.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Most of the howtos assume you're running a recent version of the server. Some systems have *old* versions of the server. We're unable to maintain copies of the documentation for each version of the server. This makes life harder for the average admin, but we have to draw the line somewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html We are running a current version of the server (2.1.10), but somehow the radiusd.conf file is not right. I hope to find out what is wrong exactly and post it here for future use. After a short (and rather violent) discussion with our linux expert I believe originally version 2.0.4 had been installed as that is the current stable version for lenny. But before I started working with it, it had already been upgraded to 2.1.8 and I requested the upgrade to 2.1.10 recently because of the lowercase function. All upgrades, no new installs, perhaps there lies the problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 16:00 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Schaatsbergen, Chris wrote: We are running a current version of the server (2.1.10), but somehow the radiusd.conf file is not right. The radiusd.conf file isn't over-written when a new package is installed. You've customized it locally, and it *must* be left alone. Crystal Clear. So you should never upgrade the existing installation. And if you really do need a new version then you should backup the old installation, perform a clean new installation and then redo all the configuration you had done before (and hope that it still works). Pity, but on the other hand a very good reason to keep your documentation up to date. Talking about work for the admins :p I am glad when I have this server up and running, I just have to finish the documentation and can then 'throw it over the wall' to the system administrators ;) There are actually other programs (Splunk, costs 12k a year) that use different config files for system config and user config. Maybe an idea for a future release of freeradius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Johan Meiring Gesendet: Montag, 14. Februar 2011 14:48 An: freeradius-users@lists.freeradius.org Betreff: Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD On 2011/02/14 01:50 PM, Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? Looking at config below... /usr/local/etc/raddb/modules/ Lenny package does NOT put stuff in /usr/local/ Seems you have two versions of freeradius on your system. Cheers, I took the other data from another 'ticket' here which is clearly not running on lenny indeed. But the problem has been solved, thanks for your help to think of an answer though :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
So far I have done everything there exactly as described with the
same outcome.
No.
If you get the error Failed to link to module 'rlm_ntlm_auth':...,
it means you did something *other* than what is on the web page.
This is I believe indeed the missing piece, problem is I cannot find
it in your web page.
It's the exec ntlm_auth { ... text.
Add it, *and* the ntlm_auth entry in the authenticate section.
The ntlm_auth file with the exec ntlm_auth text has been in the module folder
since I started working on this (actually I believe it was already there as it
is has been added in 2.1.8), about a week ago. It is also what I have indicated
both in my original post and in the repost I made today. The file is there, and
the exact contents of that file are in the repost I posted earlier today. Now
if there is something wrong with that file I would love to hear it. I tried
various ways of adding ntlm_auth to the authentication section of the default
virtual machine but all with the same outcome, module not found.
Unfortunately I do not see where the actual problem lies, otherwise I would not
have bothered you with it.
I have followed the instructions from your webpage to the letter and when that
did not work I tried some other suggestions but they all proven without effect
and are therefore removed again.
Now, if anyone is willing to actually look to see what is going wrong instead
of immediately jumping to the easy conclusions, that help would be highly
appreciated. I am pretty sure I made a mistake somewhere, but it has not been
in following these instructions. More likely it is in the original
configuration or how I changed it to fit our need (Mac authentication). The
current running config works properly, but it is very well possible I disabled
something that is needed for ntlm_auth.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
