Re: FreeRadius + AD + Realms
$ man unlang This says put the string %{1} as the value of Stripped-User-Name. See the data types' section of the manual page, and the strings section. Got it ;) Thanks for your help, fixed now. btw. the unlang-way is quite more flexible than the legacy-module-way Was this problem even possible to solve without using unlang? (using freeradius 1.x for an example) _ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: btw. the unlang-way is quite more flexible than the legacy-module-way Yes. That's why it was written. But there is still a need for the modules. Was this problem even possible to solve without using unlang? (using freeradius 1.x for an example) Likely not. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
In a general regexp language, I guess that could be done with ([\w.-]+)(?...@.*). Most regexes don't support \w, or (?... constructs. Keep it simple: if (User-Name =~ /^(.*)@(.*)$/) { # name = %{1} # realm = %{2} } Makes sense now :) Thanks. man regex is written mostly descriptive, it's much easier to understand on examples like these, than on weeknights :D But I guess I missed to point with doing it this way, because: if (User-Name =~ /@mydomain.com/) { if (User-Name =~ /^(.*)@(.*)$/) { update request { Stripped-User-Name = %{1} } ldap } } doesn't work ^^ It gives: rlm_ldap - authorize rlmd_ldap: performing user authorization for %{1} ... Also, I tried to apply this directly in the ldap module configuration, different outcome, but also doesn't work. Where did I go wrong? -_- _ Hotmail: Trusted email with Microsoft’s powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: But I guess I missed to point with doing it this way, because: if (User-Name =~ /@mydomain.com/) { if (User-Name =~ /^(.*)@(.*)$/) { update request { Stripped-User-Name = %{1} $ man unlang This says put the string %{1} as the value of Stripped-User-Name. See the data types' section of the manual page, and the strings section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: Although, now a new problem arrised - I can't seem to get the (stripped) username in the inner-tunnel with preprocess. So the username stays in the form - u...@mydomain.com, but that isn't usable for a LDAP search (on the AD). So... decode the user-name using a regex. You can then use that in the LDAP configuration. The LDAP user search is configurable for a *reason*. Because there are realms involved in the scenario. If the realm is mydomain.com then radius needs to lookup a user in AD. If the realm is mydomain2.com then it needs to consult sql. Otherwise it should proxy the request to a home server. What would be a proper way to do this? I thought setting up a virtual server for every scenario is the way to go? It's an option, but not the only way to do it. if (User-Name =~ /@mydomain.com/) { ldap } elsif (User-Name =~ /@mydomain2.com) { sql } else { update control { Proxy-To-Realm := other } } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Thanks for your help Alan, it really makes a difference when learning about Freeradius configuration. So... decode the user-name using a regex. You can then use that in the LDAP configuration. The LDAP user search is configurable for a *reason*. I forgot to mention that I need the user portion of u...@mydomain.com for sql too. u...@mydomain.com only needs to be sent to the home server (in case the user doesn't have @mydomain.com or @mydomain2.com). In another words, both AD and DB contain usernames, without any realms. I've been reading http://freeradius.org/radiusd/man/unlang.html, and can't seem to figure out how to make the logic - take everything before @ as a username. So please help. In a general regexp language, I guess that could be done with ([\w.-]+)(?...@.*). It's an option, but not the only way to do it. if (User-Name =~ /@mydomain.com/) { ldap } elsif (User-Name =~ /@mydomain2.com/) { sql } else { update control { Proxy-To-Realm := other } } Works nicely, thanks for this hint. Matthew _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: I forgot to mention that I need the user portion of u...@mydomain.com for sql too. u...@mydomain.com only needs to be sent to the home server (in case the user doesn't have @mydomain.com or @mydomain2.com). In another words, both AD and DB contain usernames, without any realms. I've been reading http://freeradius.org/radiusd/man/unlang.html, and can't seem to figure out how to make the logic - take everything before @ as a username. So please help. See man regex for the regex format. In a general regexp language, I guess that could be done with ([\w.-]+)(?...@.*). Most regexes don't support \w, or (?... constructs. Keep it simple: if (User-Name =~ /^(.*)@(.*)$/) { # name = %{1} # realm = %{2} } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
realm mydomain.com { auth_pool = active_directory You'll need a line: nostrip To avoid EAP identity issues. This worked, thanks. Preprocess doesn't strip the username in the default server and EAP works. Although, now a new problem arrised - I can't seem to get the (stripped) username in the inner-tunnel with preprocess. So the username stays in the form - u...@mydomain.com, but that isn't usable for a LDAP search (on the AD). (btw. if I test without the realm portion of the scenario, like AD is the only source of authentication, it works) i.e. it doesn't proxy it. This *does* work in 2.1.9. So which version are you running? I'm sorry, it was my mistake. I configured proxy_requests = no, because I thought it was ment for a server when it was only proxying requests from other sources (since this option opens a special proxy-ing listening port). Fixed now, proxying to virtual server works. And why are you creating this complicated configuration? The inner-tunnel virtual server is set up *precisely* for this kind of authentication. You do EAP in the default server. Then, the inner-tunnel server gets the PAP password, and you can configure it to look the user up in AD there. Because there are realms involved in the scenario. If the realm is mydomain.com then radius needs to lookup a user in AD. If the realm is mydomain2.com then it needs to consult sql. Otherwise it should proxy the request to a home server. What would be a proper way to do this? I thought setting up a virtual server for every scenario is the way to go? TIA! _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius + AD + Realms
Hello everyone! I'm new to FreeRadius, so please bear with me. :) Goal: Make FreeRadius look-up a user in ActiveDirectory if he has mydomain.com domain. Used method: EAP/TTLS (PAP in the tunnel) This is how I've done it, but it doesn't give the wanted results, so please explain a bit. :) (it doesn't seem to load the local_ad virtual server configuration, which is I placed in the sites-enabled directory, it seems to just carry on executing the default server) parts from proxy.conf: proxy server { default_fallback = no } home_server localhost_ad { type = auth virtual_server = local_ad } home_server_pool active_directory { type = fail-over virtual_server = local_ad home_server = localhost_ad } realm mydomain.com { auth_pool = active_directory } And the output: rad_recv: Access-Request packet from host 192.168.0.101 port 1812, id=8, length=138 NAS-IP-Address = 192.168.0.101 NAS-Port-Type = Async User-Name = u...@mydomain.com Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = 00-11-22-33-44-55 EAP-Message = 0x021d016a73691d756e646363406c73732d6e65542e6c73732e6872 Message-Authenticator = 0x10017179767a5ab6718168e8399c8993 +- entering group authorize ++[preprocess] returns ok rlm_realm: Looking up realm mydomain.com for User-Name = u...@mydomain.com rlm_realm: Found realm mydomain.com rlm_realm: Adding Stripped-User-Name = user rlm_realm: Adding Realm = mydomain.com rlm_realm: Proxying request from user user to realm mydomain.com rlm_realm: Preparing to proxy authentication request to realm mydomain.com ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop There was no response configured: rejecting request 0 Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} - u...@mydomain.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Thanks in advance! _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: I'm new to FreeRadius, so please bear with me. :) Good questions are a very good start. Goal: Make FreeRadius look-up a user in ActiveDirectory if he has mydomain.com domain. Used method: EAP/TTLS (PAP in the tunnel) This is how I've done it, but it doesn't give the wanted results, so please explain a bit. :) (it doesn't seem to load the local_ad virtual server configuration, which is I placed in the sites-enabled directory, it seems to just carry on executing the default server) If you read the start of the debug output, it *should* show it loading the local_ad virtual server. The output below shows it not *proxying* the request to the local_ad virtual server. realm mydomain.com { auth_pool = active_directory You'll need a line: nostrip To avoid EAP identity issues. ... rlm_realm: Preparing to proxy authentication request to realm mydomain.com ++[suffix] returns updated rlm_eap: Request is supposed to be proxied to Realm mydomain.com. Not doing EAP. ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop There was no response configured: rejecting request 0 i.e. it doesn't proxy it. This *does* work in 2.1.9. So which version are you running? And why are you creating this complicated configuration? The inner-tunnel virtual server is set up *precisely* for this kind of authentication. You do EAP in the default server. Then, the inner-tunnel server gets the PAP password, and you can configure it to look the user up in AD there. In fact, you should only need to do the following: * start with the default config * uncomment ldap everywhere in raddb/sites-enabled/inner-tunnel * configure raddb/modules/ldap to point to AD * ensure you have the correct certificates for TTLS * TTLS + PAP *should* work The default configuration is designed to work in the widest possible set of circumstances, with a minimal set of changes required to add any common functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html