RE: Freeradius 2.1.12 Second LDAP Server
Hi, thanks for the Help. Actually im decided to create a new VM and reinstall the complete Server. I`m following the complete How-To, but i`m getting two different Errors. The First One is this: It`s under the first Point: Configuring Authentification with Active Directory I`m startet the Samba and Kerberos Services und used this Command: net join -U MyAdministrator Worked. I`m getting this Message: Using short domain name -- MYDomain Joined 'UBUNTU' to realm 'MYDomain' The next Step wbinfo -a user%password works too, but i`m getting this Error-Message: Could not authenticate user Username%Password with plaintext password challenge/response password authentication succeeded Is this normal? How can I fix it? The Response seems to work correctly. The Second One is this: It`s the last Point on this Page: Configuring FreeRadius to use ntml_auth for MS-CHAP In this Step, i must edit the following line with this text in the file: /etc/freeradius/modules/mschap ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} But my default commented ntml_auth looks like this: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} In my default ntlm_auth, the option --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} is missing. Should i add it? Actually i`m using my default uncommented ntlm_auth. So, i`m going to test the MS-CHAP authentification reuqest with this command: $ radtest -t mschap bob hello localhost 0 testing123 And i`m getting this Error-Message: Sending Access-Request of id 251 to 127.0.0.1 port 1812 User-Name = bob NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x MS-CHAP-Challenge = 0x01774f129c72245c MS-CHAP-Response = 0x000124ff68dcea66e8348622a45aa91804201f2102e9ecc0add6 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=251, length=38 MS-CHAP-Error = \000E=691 R /etc/freeradius/users First Line: bob Cleartext-Password := hello # # Please read the documentation file ../doc/processing_users_file, # or 'man 5 users' (after installing the server) for more information. # @Mathieu Is there a current RADIUS-book that you can recommend? -- BeliarsFire- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Beliars Fire wrote: The next Step wbinfo -a *user*%*password *works too, but i`m getting this Error-Message: /Could not authenticate user Username%Password with plaintext password/ challenge/response password authentication succeeded Is this normal? How can I fix it? The Response seems to work correctly. It's a Samba issue. Ask the Samba people. In my default ntlm_auth, the option /--domain=%{%{mschap:NT-Domain}:-*MYDOMAIN*} /is missing. Should i add it? Sure. It's more needed if you use multiple domains. Actually i`m using my default uncommented ntlm_auth. So, i`m going to test the MS-CHAP authentification reuqest with this command: /$ radtest -t mschap bob hello localhost 0 testing123/ // /And i`m getting this Error-Message:/ // /Sending Access-Request of id 251 to 127.0.0.1 port 1812 sigh Run the server in debugging mode as suggested in the FAQ, man page, web pages, and daily on this list. Do NOT look at the client output. It's unimportant. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Hi, Could not authenticate user Username%Password with plaintext password challenge/response password authentication succeeded thats okay. means you couldnt do PAP and only MSCHAPv2 worked. expected for that command. In this Step, i must edit the following line with this text in the file: /etc/freeradius/modules/mschap ntlm_auth = /path/to/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} But my default commented ntml_auth looks like this: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00} the docs and default values have seperated over time. In my default ntlm_auth, the option --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} is missing. Should i add it? depends on what you want to do and need to do. do you TRUST your clients to be sending the correct domain? I dont...so I've set the domain manually. $ radtest -t mschap bob hello localhost 0 testing123 First Line: bob Cleartext-Password := hello whats the users file got to do with anything? if you have clashing usernames you will have a few problems. i expect you are trying to test your AD? the radtest failed due to incorrect password.. ie the AD is not bob/hello I'd recommend using 'eapol_test' for better/advanced testing - its part of the wpa_supplicant package. @Mathieu Is there a current RADIUS-book that you can recommend? FreeRADIUS for beginners is a good current book alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Hi While I generally chime in with Alan's later message, one important you should start reading about and differentiating is Authentication and Authorization (the later is Accounting of AAA with RADIUS). While you can do Authorization using LDAP with AD, you can't do the Authentication part using LDAP against AD. Using Samba and ntlm_auth is the way to go, that due to to how AD stores passwords. Read deployingradius.com, specially the compatibility matrix and Authentication Systems and Password Compatibility. You may do LDAP load balancing on the authorization part, but ntlm_auth and balancing / failover is done by Samba. Otherwise if you want to go deeper, get a RADIUS book :-) I can confirm that the initial curve may be a bit steep if you haven't done any RADIUS before, but it's well worth since it gets you better overall understanding on AAA and RADIUS, that will definitely help if something goes belly up. -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Beliars Fire wrote: - I`m worked to this Tutorial Step-by-Step. On the last two steps, i`m configured Freeradius to use ntlm_auth This was obviousy wrong, cause i want to implement LDAP-Severs. Please, don't think you're smarter than people with decades more experience than you. It's not polite. Follow the instructions in the web page. Why? Because they work. If you get rid of ntlm_auth, then your users won't be able to authenticate using 802.1X. DEFAULT Auth-Type = ntlm_auth /# Change it to LDAP, right?/ No. Follow the web page. If you're not going to follow instructions, then there's no point in asking questions on this list. ... /# Did i need these Settings in this Version?/ No. */etc/freeradius/sites-enabled/inner-tunnel* ... authenticate { ntlm_auth /# Change it to LDAP, right?/ No. ... _I`m editing this file, after your Post:_ */etc/freeradius/users* DEFAULT Auth-Type = ldap No. /After changing, I`m getting this Error:/ //etc/freeradius/users[1]: Parse error (check) for entry DEFAULT: Unknown value ldap for attribute Auth-Type / /So, ldap isn`t possible as Auth-Type? Which one i`must using?/ It's possible. But it won't work for you. So don't do it. Thanks for Help! I´m working with Linux since 4 weeks, so its hard to be aware of all functions of Freeradius and Linux. It's dead simple. Follow the web page. It has step by step instructions for how to get it to work. The instructions are correct. Anyone who knows how to use a text editor can follow them. The point of documentation is so non-experts can get things done. If you're going to ignore the documentation, then you're on your own. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
On 12 Sep 2013, at 16:29, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: It's like you're asking for flying lessons, and showing up with a bicycle. There's a bit of a disconnect somewhere. Not true, they make these awesome little fold up bikes you can chuck in the back of the plane. Still trying to come up with a justification for an rlm_avionics module. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
On 12 Sep 2013, at 15:47, Kevin Bigalke beliarsf...@outlook.com wrote: Hello, i`m running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login with 802.1 works perfectly. I`m using a Windows LDAP Server for the Login and want to add a second LDAP-Server for a Fail Over. I`m following the Tutorials to setup my Freeradius Server: *Click*. I`cant find a suitable Tutorial to adding a second LDAP Server for a Fail Over. Which files are responsible for the integration of a second LDAP server? These are my current Settings: ldap { server = serv01.xyz.local,serv02.xyz.local ... } libldap handles failover. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
Kevin Bigalke wrote: i`m running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login with 802.1 works perfectly. I`m using a Windows LDAP Server for the Login and want to add a second LDAP-Server for a Fail Over. I`m following the Tutorials to setup my Freeradius Server: **Click http://deployingradius.com/**. I`cant find a suitable Tutorial to adding a second LDAP Server for a Fail Over. Which files are responsible for the integration of a second LDAP server? raddb/modules/ldap These are my current Settings: That seems reasonable. */etc/samba/smb.conf*: Which largely doesn't matter for FreeRADIUS. */etc/freeradius/sites-enabled/inner-tunnel:* authenticate { ntlm_auth So... you're not using LDAP. Let's start from the beginning. What, exactly are you trying to do? What have you done? Why did you think that would work? Be specific. In short, you *can't* do LDAP fail-over if you're using ntlm_auth. That's because ntlm_auth interacts with Samba. And you have *no* LDAP configuration in the authorize section. And Samba takes care of Samba-related fail-overs, so LDAP isn't necessary. It's like you're asking for flying lessons, and showing up with a bicycle. There's a bit of a disconnect somewhere. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.12 Second LDAP Server
Hello, i`m running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login with 802.1 works perfectly. I`m using a Windows LDAP Server for the Login and want to add a second LDAP-Server for a Fail Over. I`m following the Tutorials to setup my Freeradius Server: *Click*. I`cant find a suitable Tutorial to adding a second LDAP Server for a Fail Over. Which files are responsible for the integration of a second LDAP server? These are my current Settings: /etc/freeradius/modules/ldap: ldap ldap1 { server = serv01.xyz.local basedn = dc=xyz,dc=local filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no set_auth_type = no keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 # LDAP_OPT_X_KEEPALIVE_PROBES probes = 3 # LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } } ldap ldap2 { server = serv02.xyz.local basedn = dc=xyz,dc=local filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no set_auth_type = no keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 # LDAP_OPT_X_KEEPALIVE_PROBES probes = 3 # LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } } /etc/samba/smb.conf: [global] workgroup = XYZ dns proxy = no security = ads password server = serv01.xyz.local password server = serv02.xyz.local winbind separator = + /etc/freeradius/sites-enabled/inner-tunnel: authenticate { ntlm_auth … /etc/freeradius/sites-enabled/default: authenticate { ntlm_auth … /etc/freeradius/users: DEFAULT Auth-Type = ntlm_auth Thanks for Help! BeliarsFire - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.12 Second LDAP Server
It's like you're asking for flying lessons, and showing up with a bicycle. There's a bit of a disconnect somewhere. Not true, they make these awesome little fold up bikes you can chuck in the back of the plane. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html