RE: Freeradius 2.1.12 Second LDAP Server
Hi,
thanks for the Help. Actually im decided to create a new VM and reinstall the
complete Server. I`m following the complete How-To, but i`m getting two
different Errors.
The First One is this:
It`s under the first Point: Configuring Authentification with Active Directory
I`m startet the Samba and Kerberos Services und used this Command:
net join -U MyAdministrator
Worked. I`m getting this Message:
Using short domain name -- MYDomain
Joined 'UBUNTU' to realm 'MYDomain'
The next Step wbinfo -a user%password works too, but i`m getting this
Error-Message:
Could not authenticate user Username%Password with plaintext password
challenge/response password authentication succeeded
Is this normal? How can I fix it? The Response seems to work correctly.
The Second One is this:
It`s the last Point on this Page: Configuring FreeRadius to use ntml_auth for
MS-CHAP
In this Step, i must edit the following line with this text in the file:
/etc/freeradius/modules/mschap
ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
But my default commented ntml_auth looks like this:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
In my default ntlm_auth, the option --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
is missing. Should i add it?
Actually i`m using my default uncommented ntlm_auth. So, i`m going to test the
MS-CHAP authentification reuqest with this command:
$ radtest -t mschap bob hello localhost 0 testing123
And i`m getting this Error-Message:
Sending Access-Request of id 251 to 127.0.0.1 port 1812
User-Name = bob
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x
MS-CHAP-Challenge = 0x01774f129c72245c
MS-CHAP-Response =
0x000124ff68dcea66e8348622a45aa91804201f2102e9ecc0add6
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=251, length=38
MS-CHAP-Error = \000E=691 R
/etc/freeradius/users
First Line:
bob Cleartext-Password := hello
#
# Please read the documentation file ../doc/processing_users_file,
# or 'man 5 users' (after installing the server) for more information.
#
@Mathieu
Is there a current RADIUS-book that you can recommend?
-- BeliarsFire-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Beliars Fire wrote:
The next Step wbinfo -a *user*%*password *works too, but i`m getting
this Error-Message:
/Could not authenticate user Username%Password with plaintext password/
challenge/response password authentication succeeded
Is this normal? How can I fix it? The Response seems to work correctly.
It's a Samba issue. Ask the Samba people.
In my default ntlm_auth, the option
/--domain=%{%{mschap:NT-Domain}:-*MYDOMAIN*} /is missing. Should i add it?
Sure. It's more needed if you use multiple domains.
Actually i`m using my default uncommented ntlm_auth. So, i`m going to
test the MS-CHAP authentification reuqest with this command:
/$ radtest -t mschap bob hello localhost 0 testing123/
//
/And i`m getting this Error-Message:/
//
/Sending Access-Request of id 251 to 127.0.0.1 port 1812
sigh Run the server in debugging mode as suggested in the FAQ,
man page, web pages, and daily on this list. Do NOT look at the
client output. It's unimportant.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Hi,
Could not authenticate user Username%Password with plaintext password
challenge/response password authentication succeeded
thats okay. means you couldnt do PAP and only MSCHAPv2 worked. expected for
that command.
In this Step, i must edit the following line with this text in the file:
/etc/freeradius/modules/mschap
ntlm_auth = /path/to/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
But my default commented ntml_auth looks like this:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}
the docs and default values have seperated over time.
In my default ntlm_auth, the option
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN} is missing. Should i add it?
depends on what you want to do and need to do. do you TRUST your clients to be
sending the correct
domain? I dont...so I've set the domain manually.
$ radtest -t mschap bob hello localhost 0 testing123
First Line:
bob Cleartext-Password := hello
whats the users file got to do with anything? if you have clashing usernames
you will have a few problems.
i expect you are trying to test your AD? the radtest failed due to incorrect
password.. ie the AD is not bob/hello
I'd recommend using 'eapol_test' for better/advanced testing - its part of the
wpa_supplicant
package.
@Mathieu
Is there a current RADIUS-book that you can recommend?
FreeRADIUS for beginners is a good current book
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Hi While I generally chime in with Alan's later message, one important you should start reading about and differentiating is Authentication and Authorization (the later is Accounting of AAA with RADIUS). While you can do Authorization using LDAP with AD, you can't do the Authentication part using LDAP against AD. Using Samba and ntlm_auth is the way to go, that due to to how AD stores passwords. Read deployingradius.com, specially the compatibility matrix and Authentication Systems and Password Compatibility. You may do LDAP load balancing on the authorization part, but ntlm_auth and balancing / failover is done by Samba. Otherwise if you want to go deeper, get a RADIUS book :-) I can confirm that the initial curve may be a bit steep if you haven't done any RADIUS before, but it's well worth since it gets you better overall understanding on AAA and RADIUS, that will definitely help if something goes belly up. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Beliars Fire wrote:
- I`m worked to this Tutorial Step-by-Step. On the last two steps, i`m
configured Freeradius to use ntlm_auth This was obviousy wrong, cause
i want to implement LDAP-Severs.
Please, don't think you're smarter than people with decades more
experience than you. It's not polite.
Follow the instructions in the web page. Why? Because they work.
If you get rid of ntlm_auth, then your users won't be able to
authenticate using 802.1X.
DEFAULT Auth-Type = ntlm_auth /# Change it to LDAP, right?/
No. Follow the web page.
If you're not going to follow instructions, then there's no point in
asking questions on this list.
... /# Did i need these Settings in this Version?/
No.
*/etc/freeradius/sites-enabled/inner-tunnel*
...
authenticate {
ntlm_auth /# Change it to LDAP, right?/
No.
...
_I`m editing this file, after your Post:_
*/etc/freeradius/users*
DEFAULT Auth-Type = ldap
No.
/After changing, I`m getting this Error:/
//etc/freeradius/users[1]: Parse error (check) for entry DEFAULT:
Unknown value ldap for attribute Auth-Type
/
/So, ldap isn`t possible as Auth-Type? Which one i`must using?/
It's possible. But it won't work for you. So don't do it.
Thanks for Help! I´m working with Linux since 4 weeks, so its hard to be
aware of all functions of Freeradius and Linux.
It's dead simple. Follow the web page. It has step by step
instructions for how to get it to work. The instructions are correct.
Anyone who knows how to use a text editor can follow them.
The point of documentation is so non-experts can get things done. If
you're going to ignore the documentation, then you're on your own.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
On 12 Sep 2013, at 16:29, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: It's like you're asking for flying lessons, and showing up with a bicycle. There's a bit of a disconnect somewhere. Not true, they make these awesome little fold up bikes you can chuck in the back of the plane. Still trying to come up with a justification for an rlm_avionics module. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
On 12 Sep 2013, at 15:47, Kevin Bigalke beliarsf...@outlook.com wrote:
Hello,
i`m running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login with
802.1 works perfectly. I`m using a Windows LDAP Server for the Login and want
to add a second LDAP-Server for a Fail Over. I`m following the Tutorials to
setup my Freeradius Server: *Click*. I`cant find a suitable Tutorial to
adding a second LDAP Server for a Fail Over. Which files are responsible for
the integration of a second LDAP server? These are my current Settings:
ldap {
server = serv01.xyz.local,serv02.xyz.local
...
}
libldap handles failover.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Kevin Bigalke wrote:
i`m running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login
with 802.1 works perfectly. I`m using a Windows LDAP Server for the
Login and want to add a second LDAP-Server for a Fail Over. I`m
following the Tutorials to setup my Freeradius Server: **Click
http://deployingradius.com/**. I`cant find a suitable Tutorial to
adding a second LDAP Server for a Fail Over. Which files are responsible
for the integration of a second LDAP server?
raddb/modules/ldap
These are my current Settings:
That seems reasonable.
*/etc/samba/smb.conf*:
Which largely doesn't matter for FreeRADIUS.
*/etc/freeradius/sites-enabled/inner-tunnel:*
authenticate {
ntlm_auth
So... you're not using LDAP.
Let's start from the beginning. What, exactly are you trying to do?
What have you done? Why did you think that would work?
Be specific.
In short, you *can't* do LDAP fail-over if you're using ntlm_auth.
That's because ntlm_auth interacts with Samba. And you have *no* LDAP
configuration in the authorize section. And Samba takes care of
Samba-related fail-overs, so LDAP isn't necessary.
It's like you're asking for flying lessons, and showing up with a
bicycle. There's a bit of a disconnect somewhere.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.12 Second LDAP Server
Hello,
i`m
running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login
with 802.1 works perfectly. I`m using a Windows LDAP Server for the
Login and want to add a second LDAP-Server for a Fail Over. I`m
following the Tutorials to setup my Freeradius Server: *Click*. I`cant find a
suitable Tutorial to adding a second LDAP Server for a Fail Over. Which files
are responsible for the integration of a second LDAP server? These are my
current Settings:
/etc/freeradius/modules/ldap:
ldap ldap1 {
server = serv01.xyz.local
basedn = dc=xyz,dc=local
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
set_auth_type = no
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}
ldap ldap2 {
server = serv02.xyz.local
basedn = dc=xyz,dc=local
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
set_auth_type = no
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}
/etc/samba/smb.conf:
[global]
workgroup = XYZ
dns proxy = no
security = ads
password server = serv01.xyz.local
password server = serv02.xyz.local
winbind separator = +
/etc/freeradius/sites-enabled/inner-tunnel:
authenticate {
ntlm_auth
…
/etc/freeradius/sites-enabled/default:
authenticate {
ntlm_auth
…
/etc/freeradius/users:
DEFAULT Auth-Type = ntlm_auth
Thanks for Help!
BeliarsFire
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
It's like you're asking for flying lessons, and showing up with a bicycle. There's a bit of a disconnect somewhere. Not true, they make these awesome little fold up bikes you can chuck in the back of the plane. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
