RE: Active Directory and FreeRadius
Well I can use pam_krb5, but what I am trying to accomplish here is that I have quite a few Linux workstation on my network and I thought if I can setup those Linux workstation to point to the radius server where they login using there Active Directory credentials. So I am not sure if this can be done or not? But would like hear if anybody who has done something similar to what I am doing. Thanks, -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 13, 2005 2:58 PM To: FreeRadius users mailing list Subject: Re: Active Directory and FreeRadius Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: I was able to auth against AD by setting up KRB5 on RHEL. Now I would like to setup freeradius where I will have bunch of UNIX workstation that will point to the freeradius server using pam_radius_auth module and will auth against radius server using their AD credentials. Why not just use pam_krb5? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory and FreeRadius
Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Well I can use pam_krb5, but what I am trying to accomplish here is that I have quite a few Linux workstation on my network and I thought if I can setup those Linux workstation to point to the radius server where they login using there Active Directory credentials. You said that already. What you may not know is that AD implements Kerberos. You can use pam_krb5 on the Linux boxes to do *exactly* the same thing, but without using RADIUS at all. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory and FreeRadius
I'd recommend skipping PAM and using MIT's kerberized telnet. I don't believe PAM supports single signon, whereas you can have single sign-on with kerberized telnet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, July 14, 2005 11:39 AM To: FreeRadius users mailing list Subject: Re: Active Directory and FreeRadius Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Well I can use pam_krb5, but what I am trying to accomplish here is that I have quite a few Linux workstation on my network and I thought if I can setup those Linux workstation to point to the radius server where they login using there Active Directory credentials. You said that already. What you may not know is that AD implements Kerberos. You can use pam_krb5 on the Linux boxes to do *exactly* the same thing, but without using RADIUS at all. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory and FreeRadius
Radius is not realy apropriate personaly id take a look at http://www.wlug.org.nz/ActiveDirectorySamba and http://mirrors.techiesabode.com/linuxgazette/101/levkovich.html Well I can use pam_krb5, but what I am trying to accomplish here is that I have quite a few Linux workstation on my network and I thought if I can setup those Linux workstation to point to the radius server where they login using there Active Directory credentials. So I am not sure if this can be done or not? But would like hear if anybody who has done something similar to what I am doing. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory and FreeRadius
HI, I was able to auth against AD by setting up KRB5 on RHEL. Now I would like to setup freeradius where I will have bunch of UNIX workstation that will point to the freeradius server using pam_radius_auth module and will auth against radius server using their AD credentials. So would anyone have an example of radiusd.conf file that I can see and get an idea how I might be able to setup freeradius server to point to the AD for auth purposes. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory and FreeRadius
Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: I was able to auth against AD by setting up KRB5 on RHEL. Now I would like to setup freeradius where I will have bunch of UNIX workstation that will point to the freeradius server using pam_radius_auth module and will auth against radius server using their AD credentials. Why not just use pam_krb5? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory and FreeRadius
Thanks for the quick response, Dustin. Here are entries from my users file (I removed the comments for easy reading): testAuth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 43.191.104.146, Framed-IP-Netmask = 255.255.252.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP DEFAULT Auth-Type = System Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == SLIP Framed-Protocol = SLIP /etc/raddb/radiusd.conf (authenticate section) authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } } I had a hunch I might be missing something in the users filedid I mention this is my first foray into radius? Thanks in advance for any assistance, ~Brandon -Original Message- From: Dustin Doris [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 6:53 PM To: freeradius-users@lists.freeradius.org Subject: Re: Active Directory and FreeRadius Hello all, I am trying to configure FreeRadius to auth against Active Directory. I was wondering if anyone on the list has done this successfully. I thought the best way to go was to connect to A.D. as if it was an LDAP server, (please let me know if there is a better way). Any tips or docs would be greatly appreciated. Before anyone asks.I would love to use OpenLDAP instead, but that is not my karma. I started radiusd in debug mode and here is the output I am getting: rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 User-Name = deyoungb User-Password = secret Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = deyoungb, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for deyoungb radius_xlat: '(cn=deyoungb)' radius_xlat: 'DC=am,DC=sony,DC=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0 rlm_ldap: bind as CN=~MyAccessAccount,OU=Service Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter (cn=deyoungb) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user deyoungb authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 Looks good up to here, then it switches to Auth-Type of System. rad_check_password: Found Auth-Type System auth: type System ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 Sending Access-Reject of id 112 to 43.191.104.141:2611 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 112 with timestamp 41f6f231 Nothing to do. Sleeping until we see a request. What is in your users file and the authenticate section of radiusd.conf? Something is making it try System instead of Ldap for authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory and FreeRadius
Comments below. Thanks for the quick response, Dustin. Here are entries from my users file (I removed the comments for easy reading): testAuth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 43.191.104.146, Framed-IP-Netmask = 255.255.252.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP Try taking out this entry below which is setting Auth-Type to system. Just comment it out and then restart radius and test again. like this: #DEFAULT Auth-Type = System # Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == SLIP Framed-Protocol = SLIP /etc/raddb/radiusd.conf (authenticate section) authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } } I had a hunch I might be missing something in the users filedid I mention this is my first foray into radius? Thanks in advance for any assistance, ~Brandon -Original Message- From: Dustin Doris [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 6:53 PM To: freeradius-users@lists.freeradius.org Subject: Re: Active Directory and FreeRadius Hello all, I am trying to configure FreeRadius to auth against Active Directory. I was wondering if anyone on the list has done this successfully. I thought the best way to go was to connect to A.D. as if it was an LDAP server, (please let me know if there is a better way). Any tips or docs would be greatly appreciated. Before anyone asks.I would love to use OpenLDAP instead, but that is not my karma. I started radiusd in debug mode and here is the output I am getting: rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 User-Name = deyoungb User-Password = secret Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = deyoungb, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for deyoungb radius_xlat: '(cn=deyoungb)' radius_xlat: 'DC=am,DC=sony,DC=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0 rlm_ldap: bind as CN=~MyAccessAccount,OU=Service Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter (cn=deyoungb) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user deyoungb authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 Looks good up to here, then it switches to Auth-Type of System. rad_check_password: Found Auth-Type System auth: type System ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 Sending Access-Reject of id 112 to 43.191.104.141:2611 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 112 with timestamp 41f6f231 Nothing to do. Sleeping until we see a request. What is in your users file and the authenticate section of radiusd.conf? Something is making it try System instead of Ldap for authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory and FreeRadius
That worked like a charm! Thank you ever so much, ~Brandon -Original Message- From: Dustin Doris [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 26, 2005 3:53 PM To: freeradius-users@lists.freeradius.org Subject: RE: Active Directory and FreeRadius Comments below. Thanks for the quick response, Dustin. Here are entries from my users file (I removed the comments for easy reading): testAuth-Type := Local, User-Password == testing Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 43.191.104.146, Framed-IP-Netmask = 255.255.252.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = std.ppp, Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP Try taking out this entry below which is setting Auth-Type to system. Just comment it out and then restart radius and test again. like this: #DEFAULT Auth-Type = System # Fall-Through = 1 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == SLIP Framed-Protocol = SLIP /etc/raddb/radiusd.conf (authenticate section) authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } } I had a hunch I might be missing something in the users filedid I mention this is my first foray into radius? Thanks in advance for any assistance, ~Brandon -Original Message- From: Dustin Doris [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 25, 2005 6:53 PM To: freeradius-users@lists.freeradius.org Subject: Re: Active Directory and FreeRadius Hello all, I am trying to configure FreeRadius to auth against Active Directory. I was wondering if anyone on the list has done this successfully. I thought the best way to go was to connect to A.D. as if it was an LDAP server, (please let me know if there is a better way). Any tips or docs would be greatly appreciated. Before anyone asks.I would love to use OpenLDAP instead, but that is not my karma. I started radiusd in debug mode and here is the output I am getting: rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 User-Name = deyoungb User-Password = secret Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = deyoungb, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for deyoungb radius_xlat: '(cn=deyoungb)' radius_xlat: 'DC=am,DC=sony,DC=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0 rlm_ldap: bind as CN=~MyAccessAccount,OU=Service Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter (cn=deyoungb) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user deyoungb authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 Looks good up to here, then it switches to Auth-Type of System. rad_check_password: Found Auth-Type System auth: type System ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 Sending Access-Reject of id 112 to 43.191.104.141:2611 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 112 with timestamp 41f6f231 Nothing to do. Sleeping until we see a request. What is in your users file and the authenticate section of radiusd.conf? Something is making it try System instead of Ldap for authentication. - List info/subscribe/unsubscribe? See http
Active Directory and FreeRadius
Hello all, I am trying to configure FreeRadius to auth against Active Directory. I was wondering if anyone on the list has done this successfully. I thought the best way to go was to connect to A.D. as if it was an LDAP server, (please let me know if there is a better way). Any tips or docs would be greatly appreciated. Before anyone asks.I would love to use OpenLDAP instead, but that is not my karma. I started radiusd in debug mode and here is the output I am getting: rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 User-Name = deyoungb User-Password = secret Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = deyoungb, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for deyoungb radius_xlat: '(cn=deyoungb)' radius_xlat: 'DC=am,DC=sony,DC=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0 rlm_ldap: bind as CN=~MyAccessAccount,OU=Service Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter (cn=deyoungb) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user deyoungb authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type System auth: type System ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 Sending Access-Reject of id 112 to 43.191.104.141:2611 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 112 with timestamp 41f6f231 Nothing to do. Sleeping until we see a request. Thanks in advance! ~Brandon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory and FreeRadius
Hello all, I am trying to configure FreeRadius to auth against Active Directory. I was wondering if anyone on the list has done this successfully. I thought the best way to go was to connect to A.D. as if it was an LDAP server, (please let me know if there is a better way). Any tips or docs would be greatly appreciated. Before anyone asks.I would love to use OpenLDAP instead, but that is not my karma. I started radiusd in debug mode and here is the output I am getting: rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 User-Name = deyoungb User-Password = secret Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = deyoungb, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for deyoungb radius_xlat: '(cn=deyoungb)' radius_xlat: 'DC=am,DC=sony,DC=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0 rlm_ldap: bind as CN=~MyAccessAccount,OU=Service Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter (cn=deyoungb) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user deyoungb authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 Looks good up to here, then it switches to Auth-Type of System. rad_check_password: Found Auth-Type System auth: type System ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 Sending Access-Reject of id 112 to 43.191.104.141:2611 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 112 with timestamp 41f6f231 Nothing to do. Sleeping until we see a request. What is in your users file and the authenticate section of radiusd.conf? Something is making it try System instead of Ldap for authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html