FreeRADIUS Active Directory Integration HOWTO
Hi, I´m new user. Does anyone help-me with FreeRADIUS Active Directory Integration HOWTOhttp://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO ? This paper is no more avaiable on site. Thanks -- Eduardo Gui - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Active Directory Integration HOWTO
I´m new user. Does anyone help-me with FreeRADIUS Active Directory Integration HOWTOhttp://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO ? This paper is no more avaiable on site. http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with no such realm
Ivan Kalik wrote:
Ivan Kalik wrote:
One thing stands out though in the output of freeradius -X (only after
changing the order of suffix and ntdomain in sites-available/default
and
radiusd.conf:
++[mschap] returns noop
rlm_realm: Looking up realm IPSO0 for User-Name =
IPSO0\andrei.staicu
rlm_realm: No such realm IPSO0
++[ntdomain] returns noop
rlm_realm: No '@' in User-Name = IPSO0\andrei.staicu, looking up
realm
NULL
rlm_realm: No such realm NULL
IPSO0 is the realm name for the domain ipso.biz (not the public site;
this is internal and resolved as such by our dns)
I've tried for about two weeks now, but i still have no ideea on how to
define the realm IPSO0.
Look at proxy.conf.
Ivan Kalik
Kalik Informatika ISP
Hello again
I tried defining the realm IPSO0 (probably wrong) and i see the requests
being proxied to it, but it finally failes
You have. It should be defined as local realm:
realm IPSO0 {
}
Ivan Kalik
Kalik Informatika ISP
Hello again. I've reached the output from here:
http://pastebin.com/d19f28a24 , and i still don't understand why it
doesen't call the ntlm_auth line
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with no such realm
Andrei-Florian Staicu wrote:
Hello again. I've reached the output from here:
http://pastebin.com/d19f28a24 , and i still don't understand why it
doesen't call the ntlm_auth line
It looks like you are adding a Proxy-To-Realm := LOCAL.
...
PEAP: Sending tunneled request
EAP-Message =
0x02060018014950534f305c616e647265692e737461696375
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = IPSO0\\andrei.staicu
server inner-tunnel {
+- entering group authorize
rlm_realm: Looking up realm IPSO0 for User-Name =
IPSO0\andrei.staicu
rlm_realm: Found realm IPSO0
rlm_realm: Adding Stripped-User-Name = andrei.staicu
rlm_realm: Adding Realm = IPSO0
rlm_realm: Authentication realm is LOCAL.
++[ntdomain] returns noop
++[mschap] returns noop
++[control] returns noop
Why is that update control section there? What is in it?
rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing
EAP.
It's being proxied to realm LOCAL. You have added a LOCAL realm.
Don't do that.
++[eap] returns noop
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
Even more proof. The IPSO0 realm above is added because it exists.
The server does NOT add a Proxy-To-Realm := LOCAL. You have done
that. Delete it from your configuration.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with no such realm
Alan DeKok wrote:
Andrei-Florian Staicu wrote:
Hello again. I've reached the output from here:
http://pastebin.com/d19f28a24 , and i still don't understand why it
doesen't call the ntlm_auth line
It looks like you are adding a Proxy-To-Realm := LOCAL.
...
PEAP: Sending tunneled request
EAP-Message =
0x02060018014950534f305c616e647265692e737461696375
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = IPSO0\\andrei.staicu
server inner-tunnel {
+- entering group authorize
rlm_realm: Looking up realm IPSO0 for User-Name =
IPSO0\andrei.staicu
rlm_realm: Found realm IPSO0
rlm_realm: Adding Stripped-User-Name = andrei.staicu
rlm_realm: Adding Realm = IPSO0
rlm_realm: Authentication realm is LOCAL.
++[ntdomain] returns noop
++[mschap] returns noop
++[control] returns noop
Why is that update control section there? What is in it?
rlm_eap: Request is supposed to be proxied to Realm LOCAL. Not doing
EAP.
It's being proxied to realm LOCAL. You have added a LOCAL realm.
Don't do that.
++[eap] returns noop
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist! Cancelling invalid proxy request.
Even more proof. The IPSO0 realm above is added because it exists.
The server does NOT add a Proxy-To-Realm := LOCAL. You have done
that. Delete it from your configuration.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It works now. Thank you very much for clearing thing up for me.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with no such realm
Ivan Kalik wrote: One thing stands out though in the output of freeradius -X (only after changing the order of suffix and ntdomain in sites-available/default and radiusd.conf: ++[mschap] returns noop rlm_realm: Looking up realm IPSO0 for User-Name = IPSO0\andrei.staicu rlm_realm: No such realm IPSO0 ++[ntdomain] returns noop rlm_realm: No '@' in User-Name = IPSO0\andrei.staicu, looking up realm NULL rlm_realm: No such realm NULL IPSO0 is the realm name for the domain ipso.biz (not the public site; this is internal and resolved as such by our dns) I've tried for about two weeks now, but i still have no ideea on how to define the realm IPSO0. Look at proxy.conf. Ivan Kalik Kalik Informatika ISP Hello again I tried defining the realm IPSO0 (probably wrong) and i see the requests being proxied to it, but it finally failes with Login incorrect (Home Server says so): [IPSO0\\andrei.staicu/no User-Password attribute] I put the output here http://pastebin.com/m516967e2 , should it help. All i see in the output is ++[mschap] returns noop. Should the module do something before failing? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with no such realm
Ivan Kalik wrote:
One thing stands out though in the output of freeradius -X (only after
changing the order of suffix and ntdomain in sites-available/default
and
radiusd.conf:
++[mschap] returns noop
rlm_realm: Looking up realm IPSO0 for User-Name =
IPSO0\andrei.staicu
rlm_realm: No such realm IPSO0
++[ntdomain] returns noop
rlm_realm: No '@' in User-Name = IPSO0\andrei.staicu, looking up
realm
NULL
rlm_realm: No such realm NULL
IPSO0 is the realm name for the domain ipso.biz (not the public site;
this is internal and resolved as such by our dns)
I've tried for about two weeks now, but i still have no ideea on how to
define the realm IPSO0.
Look at proxy.conf.
Ivan Kalik
Kalik Informatika ISP
Hello again
I tried defining the realm IPSO0 (probably wrong) and i see the requests
being proxied to it, but it finally failes
You have. It should be defined as local realm:
realm IPSO0 {
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius active directory integration fails with no such realm
Hello all, I tried to configure freeradius 2.0.4 on debian 5.0.2 (after recompiling with openssl support, as instructed in the debian readme) for authenticating wireless connections with wpa2-enterprise, using active directory user/password (windows xp as clients, d-link dwl 2200ap as ap's). I followed the how-to from http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO , but somehow i seem to fail. I know i should post here the configurations and the output of freeradius -X , but they are very long and i don't know what i should select. One thing stands out though in the output of freeradius -X (only after changing the order of suffix and ntdomain in sites-available/default and radiusd.conf: ++[mschap] returns noop rlm_realm: Looking up realm IPSO0 for User-Name = IPSO0\andrei.staicu rlm_realm: No such realm IPSO0 ++[ntdomain] returns noop rlm_realm: No '@' in User-Name = IPSO0\andrei.staicu, looking up realm NULL rlm_realm: No such realm NULL IPSO0 is the realm name for the domain ipso.biz (not the public site; this is internal and resolved as such by our dns) I've tried for about two weeks now, but i still have no ideea on how to define the realm IPSO0. ntlm_auth works on that server: ntlm_auth --request-nt-key --username andrei.staicu --domain IPSO0 password: NT_STATUS_OK: Success (0x0) (note on this: using ntlm_auth –-request-nt-key –-domain=your domain –-username= your username as in the howto doesen't seem to work, but ntlm_auth –-request-nt-key –-domain your domain –-username your username works) Could you give me some pointers on how to continue? I've ran out of options with this one. If all the configuration files and all the output of freeradius -X are required, i'll post them in a pastebin and link here. Thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with no such realm
Hi, One thing stands out though in the output of freeradius -X (only after changing the order of suffix and ntdomain in sites-available/default and radiusd.conf: ++[mschap] returns noop ensure that preprocess module is called first and then ensure that with_ntdomain_hack is set to on alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius active directory integration fails with no such realm
One thing stands out though in the output of freeradius -X (only after changing the order of suffix and ntdomain in sites-available/default and radiusd.conf: ++[mschap] returns noop rlm_realm: Looking up realm IPSO0 for User-Name = IPSO0\andrei.staicu rlm_realm: No such realm IPSO0 ++[ntdomain] returns noop rlm_realm: No '@' in User-Name = IPSO0\andrei.staicu, looking up realm NULL rlm_realm: No such realm NULL IPSO0 is the realm name for the domain ipso.biz (not the public site; this is internal and resolved as such by our dns) I've tried for about two weeks now, but i still have no ideea on how to define the realm IPSO0. Look at proxy.conf. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Active Directory Integration
hi, you still have ntlm_auth in your authorise section...thats wrong. take ntlm_auth out of there. edit modules/mschap and uncomment the ntlm_auth line (and configure anything else you need such as MPPE) and then ensure that mschap is called in the virtual server (sites-enabled/default) and inner-tunnel (if using EAP) in the authenticate section. the default config as supplied by FreeRADIUS *WORKS* - I can vouch for that having started on many greenfield sites with a bare new FreeRADIUS server and getting packets auth'd with just a few config changes for the required purpose. i think you might be getting confused with the 'authorize' terminology. the server first checks to see if the user-name is authorised to connect (ie has the 'rights' to connect from a NAS, at a certain time etc etc), this stops it having to check the password first - a waste of auth server time! - the server then checks the authentication (ie is the password correct?) if the user is allowed to connect. after this, the post-auth and accounting is done. remember, if using EAP, the server will read eap.conf and by default will then use the inner-tunnel virtual server - so if using EAP you have THOSE auth/auth/acct sections to deal with too! alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS Active Directory Integration
We're not able to get the user authenticated.
[r...@u701radius02 raddb]# wbinfo -a dw68406a%garrett05
plaintext password authentication succeeded
challenge/response password authentication succeeded
[r...@u701radius02 raddb]# ntlm_auth --request-nt-key --domain=dom002
--username=dw68406a --password=garrett05
NT_STATUS_OK: Success (0x0)
[r...@u701radius02 raddb]# radiusd -X
FreeRADIUS Version 2.1.3, for host i386-redhat-linux-gnu, built on Dec 8 2008
at 15:31:31
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket
including configuration file /etc/raddb/sites-enabled/default
including configuration file /etc/raddb/sites-enabled/inner-tunnel
group = radiusd
user = radiusd
including dictionary file /etc/raddb/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/radius
libdir = /usr/lib/freeradius
radacctdir = /var/log/radius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/radiusd/radiusd.pid
checkrad = /usr/sbin/checkrad
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client 172.18.134.248 {
require_message_authenticator = no
secret = testing123
shortname = 172.18.134.248
nastype = other
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = testing123
nastype = other
}
radiusd: Loading Realms and Home Servers
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = auth
secret = testing123
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = status-server
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool =
Re: FreeRADIUS Active Directory Integration
Hi,
[r...@u701radius02 raddb]# ntlm_auth --request-nt-key --domain=dom002
--username=dw68406a --password=garrett05
NT_STATUS_OK: Success (0x0)
good.
+- entering group authorize {...}
++[preprocess] returns ok
[ntlm_auth] expand: --username=%{mschap:User-Name} - --username=DW68406A
[ntlm_auth] expand: --password=%{User-Password} - --password=
Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password
(0xc06a)
Exec-Program: returned: 1
++[ntlm_auth] returns reject
no password supplied - %{Cleartext-Password} instead? what makes you
think a password is supplied? have you tried using the default ntlm_auth
line that comes with freeradius and just changing the --username part to
look like your chosen flavour (--domain is up to you...if needed)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Active Directory Integration
Am 14.05.2009 um 19:31 schrieb Davies, Mike:
We’re not able to get the user authenticated.
[...]
radiusd: Loading Virtual Servers
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Instantiating ntlm_auth
exec ntlm_auth {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key --domain=DOM002 --
username=%{mschap:User-Name} --password=%{User-Password}
I do not know much about ntlm_auth but I can see that this call seems
to differ widely compared to the change that was proposed in the last
hours for Freeradius 2.1.6:
ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{%
{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%
{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
See archive: http://lists.freeradius.org/pipermail/freeradius-users/
2009-May/msg00254.html
input_pairs = request
shell_escape = yes
}
[...]
This e-mail message, including any attachments, is for the sole use
of the intended recipient(s) and may contain information that is
confidential and protected by law from unauthorized disclosure. Any
unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply e-mail and destroy all copies of the original message.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html
Have a nice day!
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Active Directory Integration
We're not able to get the user authenticated. Of course not. You listed ntlm_auth in authorize. http://deployingradius.com/documents/configuration/active_directory.html Skip to the bit: Configuring FreeRADIUS to use ntlm_auth Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Active Directory Integration
Thanks for the catch on listing ntlm_auth in authorize. I followed the
deployingradius.com link. I'm still not getting it. I tried uncommenting
the ntlm_auth = line in the mschap file. I got the same result.
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = DOM002\MD90345, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 174
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[ntlm_auth] expand: --username=%{mschap:User-Name} -
ntlm_auth is still listed in authorize (only lower down the order). Remove
it from there. And what happened to eap? It should be before unix, files,
etc.
including configuration file /etc/raddb/modules/mschap
...
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
}
You haven't enabled ntlm_auth in mschap module. You only have it as
standalone exec script.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS Active Directory Integration
Davies, Mike wrote: Thanks for the catch on listing ntlm_auth in authorize. I followed the deployingradius.com link. Sorry, but no. That page does NOT say to list ntlm_auth in the authorize section. I’m still not getting it. I tried uncommenting the ntlm_auth = line in the mschap file. I got the same result. Start with the default configuration files. Follow the guide. It WILL work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with FreeRADIUS Active Directory Integration
In our test lab we are working on using FreeRADIUS to authenticate users against their AD credentials. We loaded FreeRADIUS on a Fedora 10. We loaded SAMBA and it works. We loaded freeradius-2.1.3-1.fc10.i386. We followed the http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO. We booted an XP workstation and logged in. It never got a DHCP address and failed authentication. Read the prerequisites in the article! Updated tutorial is at: http://deployingradius.com/documents/configuration/active_directory.html I have added that link to the wiki page. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
