AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
OK, I think I found out where things are going wrong. In my Radius -X log I noticed the Starting - reading configuration files is short, compared to those of others. What is missing is actually: including files in directory /usr/local/etc/raddb/modules/ (followed by including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/unix including configuration file/usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/perl) This is all not in my freeradius -X logs and is in the logs of others. Now where do I enable/disable loading the modules folder? -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Schaatsbergen, Chris Gesendet: Freitag, 11. Februar 2011 19:32 An: FreeRadius users mailing list Betreff: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD So far I have done everything there exactly as described with the same outcome. No. If you get the error Failed to link to module 'rlm_ntlm_auth':..., it means you did something *other* than what is on the web page. This is I believe indeed the missing piece, problem is I cannot find it in your web page. It's the exec ntlm_auth { ... text. Add it, *and* the ntlm_auth entry in the authenticate section. The ntlm_auth file with the exec ntlm_auth text has been in the module folder since I started working on this (actually I believe it was already there as it is has been added in 2.1.8), about a week ago. It is also what I have indicated both in my original post and in the repost I made today. The file
Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Schaatsbergen, Chris wrote: OK, I think I found out where things are going wrong. In my Radius -X log I noticed the Starting - reading configuration files is short, compared to those of others. What is missing is actually: including files in directory /usr/local/etc/raddb/modules/ ... Now where do I enable/disable loading the modules folder? radiusd.conf? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? The beginning part of our current radiusd.conf: # -*- text -*- ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id: radiusd.conf.in,v 1.272 2008/04/26 15:14:33 aland Exp $ ## ## # # Read man radiusd before editing this file. See the section # titled DEBUGGING. It outlines a method where you can quickly # obtain the configuration you want, without running into # trouble. # # Run the server in debugging mode, and READ the output. # # $ radiusd -X # # We cannot emphasize this point strongly enough. The vast # majority of problems can be solved by carefully reading the # debugging output, which includes warnings about common issues, # and suggestions for how they may be fixed. # # There may be a lot of output, but look carefully for words like: # warning, error, reject, or failure. The messages there # will usually be enough to guide you to a solution. # # If you are going to ask a question on the mailing list, then # explain what you are trying to do, and include the output from # debugging mode (radiusd -X). Failure to do so means that all # of the responses to your question will be people telling you # to post the output of radiusd -X. ## # # The location of other config files and logfiles are declared # in this file. # # Also general configuration for modules can be done in this # file, it is exported through the API to modules that ask for # it. # # See man radiusd.conf for documentation on the format of this # file. Note that the individual configuration items are NOT # documented in that man page. They are only documented here, # in the comments. # # As of 2.0.0, FreeRADIUS supports a simple processing language # in the authorize, authenticate, accounting, etc. sections. # See man unlang for details. # prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/freeradius # Should likely be ${localstatedir}/lib/radiusd db_dir = $(raddbdir) -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 12:40 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Schaatsbergen, Chris wrote: OK, I think I found out where things are going wrong. In my Radius -X log I noticed the Starting - reading configuration files is short, compared to those of others. What is missing is actually: including files in directory /usr/local/etc/raddb/modules/ ... Now where do I enable/disable loading the modules folder? radiusd.conf? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. shrug I don't run Lenny, so I can't say any more. Where can I find a proper radiusd.conf? Have you tried the 2.1.10 tar file on freeradius.org? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
I think freeradius is a great piece of software and I will certainly continue to use it. I am also very happy with the great documentation that can be found, both the wiki and Alan's website are an awesome source of very good information. The support community here is also very active, which is a great thing. But had someone with freeradius knowledge taken the time to look at the freeradius -X logs I (and David Dumortier) supplied with our questions, they would have seen the problem right away I suppose, in both our cases. Probably there have been too many typical n00b users who asked questions after not following the (clear) documentation properly, but please understand we are not all like that. This has caused me an enormous load of stress and has cost me about 3 days (and one night sleep), and I assume it has caused you a certain amount of stress as well, and it could have been so much more satisfying had it been checked just a little bit more. Of course, you are not responsible for every package being produced and I do not know yet how this all works as I did not install our freeradius server myself (unfortunately). But in our cases, the users where not to blame, other than using an available and hopefully supported package. I will have a new lenny server installed with just the 2.1.10 debian backport package on it (no older versions) to see if that comes with a proper radiusd.conf file. If so then my problem is caused by an older package being installed earlier and new users will not be bothered by it. Again, I really think freeradius is a great piece of software, there is plenty of good documentation and it has an awesome support community here. So I will certainly continue to use freeradius as our authentication server. But please, if a user says he followed the instructions to the letter, give them the benefit of the doubt and see if something else is going wrong. -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 12:57 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. shrug I don't run Lenny, so I can't say any more. Where can I find a proper radiusd.conf? Have you tried the 2.1.10 tar file on freeradius.org? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Hi, That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? from the main source www.freeradius.org get the 2.1.10 tarball , extract it and look at what the config should be like. I wonder if lenny is requiring you to install other packages for purpose/facilities alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Thanks! Actually in this case I was too early writing the mail (because I was rather annoyed), something I should not allow myself to happen. The radiusd.conf file is documented on the Wiki site (though the link there that should point to the latest version is not working as it points to the currently unexisting http://github.com/alandekok/freeradius-server/blob/stable/raddb/radiusd.conf). I found the missing piece: $INCLUDE ${confdir}/modules/ Which should be in (the top of) the modules section. With that addition freeradius starts without error messages so I can continue Alan DeKoks (excellent) description how to enable AD authentication. -Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan Buxey Gesendet: Montag, 14. Februar 2011 13:48 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Hi, That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? from the main source www.freeradius.org get the 2.1.10 tarball , extract it and look at what the config should be like. I wonder if lenny is requiring you to install other packages for purpose/facilities alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
On 2011/02/14 01:50 PM, Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011-January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? Looking at config below... /usr/local/etc/raddb/modules/ Lenny package does NOT put stuff in /usr/local/ Seems you have two versions of freeradius on your system. Cheers, -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Schaatsbergen, Chris wrote: Thanks! Actually in this case I was too early writing the mail (because I was rather annoyed), something I should not allow myself to happen. The radiusd.conf file is documented on the Wiki site (though the link there that should point to the latest version is not working as it points to the currently unexisting http://github.com/alandekok/freeradius-server/blob/stable/raddb/radiusd.conf). That should point to radiusd.conf.in. I found the missing piece: $INCLUDE ${confdir}/modules/ Which should be in (the top of) the modules section. With that addition freeradius starts without error messages so I can continue Alan DeKoks (excellent) description how to enable AD authentication. Most of the howtos assume you're running a recent version of the server. Some systems have *old* versions of the server. We're unable to maintain copies of the documentation for each version of the server. This makes life harder for the average admin, but we have to draw the line somewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
Most of the howtos assume you're running a recent version of the server. Some systems have *old* versions of the server. We're unable to maintain copies of the documentation for each version of the server. This makes life harder for the average admin, but we have to draw the line somewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html We are running a current version of the server (2.1.10), but somehow the radiusd.conf file is not right. I hope to find out what is wrong exactly and post it here for future use. After a short (and rather violent) discussion with our linux expert I believe originally version 2.0.4 had been installed as that is the current stable version for lenny. But before I started working with it, it had already been upgraded to 2.1.8 and I requested the upgrade to 2.1.10 recently because of the lowercase function. All upgrades, no new installs, perhaps there lies the problem. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Alan DeKok Gesendet: Montag, 14. Februar 2011 16:00 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD Schaatsbergen, Chris wrote: We are running a current version of the server (2.1.10), but somehow the radiusd.conf file is not right. The radiusd.conf file isn't over-written when a new package is installed. You've customized it locally, and it *must* be left alone. Crystal Clear. So you should never upgrade the existing installation. And if you really do need a new version then you should backup the old installation, perform a clean new installation and then redo all the configuration you had done before (and hope that it still works). Pity, but on the other hand a very good reason to keep your documentation up to date. Talking about work for the admins :p I am glad when I have this server up and running, I just have to finish the documentation and can then 'throw it over the wall' to the system administrators ;) There are actually other programs (Splunk, costs 12k a year) that use different config files for system config and user config. Maybe an idea for a future release of freeradius? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
-Ursprüngliche Nachricht- Von: freeradius-users-bounces+chris.schaatsbergen=aleo- solar...@lists.freeradius.org [mailto:freeradius-users- bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org] Im Auftrag von Johan Meiring Gesendet: Montag, 14. Februar 2011 14:48 An: freeradius-users@lists.freeradius.org Betreff: Re: AW: AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD On 2011/02/14 01:50 PM, Schaatsbergen, Chris wrote: That is clear, but it seems it is missing in the Lenny Package somehow as http://lists.freeradius.org/pipermail/freeradius-users/2011- January/msg00192.html has exactly the same problem as me, no modules folder being read causing the ntlm_auth not being recognized as module. Where can I find a proper radiusd.conf? Or where in the radiusd.conf should it be? Looking at config below... /usr/local/etc/raddb/modules/ Lenny package does NOT put stuff in /usr/local/ Seems you have two versions of freeradius on your system. Cheers, I took the other data from another 'ticket' here which is clearly not running on lenny indeed. But the problem has been solved, thanks for your help to think of an answer though :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: AW: AW: Authenticating SSH login on a Cisco IOS switch to AD
So far I have done everything there exactly as described with the same outcome. No. If you get the error Failed to link to module 'rlm_ntlm_auth':..., it means you did something *other* than what is on the web page. This is I believe indeed the missing piece, problem is I cannot find it in your web page. It's the exec ntlm_auth { ... text. Add it, *and* the ntlm_auth entry in the authenticate section. The ntlm_auth file with the exec ntlm_auth text has been in the module folder since I started working on this (actually I believe it was already there as it is has been added in 2.1.8), about a week ago. It is also what I have indicated both in my original post and in the repost I made today. The file is there, and the exact contents of that file are in the repost I posted earlier today. Now if there is something wrong with that file I would love to hear it. I tried various ways of adding ntlm_auth to the authentication section of the default virtual machine but all with the same outcome, module not found. Unfortunately I do not see where the actual problem lies, otherwise I would not have bothered you with it. I have followed the instructions from your webpage to the letter and when that did not work I tried some other suggestions but they all proven without effect and are therefore removed again. Now, if anyone is willing to actually look to see what is going wrong instead of immediately jumping to the easy conclusions, that help would be highly appreciated. I am pretty sure I made a mistake somewhere, but it has not been in following these instructions. More likely it is in the original configuration or how I changed it to fit our need (Mac authentication). The current running config works properly, but it is very well possible I disabled something that is needed for ntlm_auth. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html