Re: Freeradius 2.1.12 Second LDAP Server

2013-09-16 Thread A . L . M . Buxey 
Hi,

>Could not authenticate user Username%Password with plaintext password
>challenge/response password authentication succeeded

thats okay. means you couldnt do PAP and only MSCHAPv2 worked. expected for 
that command.

>In this Step, i must edit the following line with this text in the file:
>/etc/freeradius/modules/mschap
> 
>ntlm_auth = "/path/to/ntlm_auth --request-nt-key
>--username=%{mschap:User-Name:-None}
>--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
>--challenge=%{mschap:Challenge:-00}
>--nt-response=%{mschap:NT-Response:-00}"
> 
>But my default commented ntml_auth looks like this:
> 
>ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
>--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
>--challenge=%{%{mschap:Challenge}:-00}
>--nt-response=%{%{mschap:NT-Response}:-00}"

the docs and default values have seperated over time.  

>In my default ntlm_auth, the option
>"--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}" is missing. Should i add it?

depends on what you want to do and need to do. do you TRUST your clients to be 
sending the correct
domain?  I dont...so I've set the domain manually.

>$ radtest -t mschap bob hello localhost 0 testing123

>First Line:
>bob Cleartext-Password := "hello"

whats the users file got to do with anything? if you have clashing usernames 
you will have a few problems.
i expect you are trying to test your AD? the radtest failed due to incorrect 
password.. ie the AD is not bob/hello

I'd recommend using 'eapol_test' for better/advanced testing - its part of the 
wpa_supplicant
package.

>@Mathieu
>Is there a current RADIUS-book that you can recommend?

"FreeRADIUS for beginners" is a good current book

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-16 Thread Alan DeKok 
Beliars Fire wrote:
> The next Step wbinfo -a *user*%*password *works too, but i`m getting
> this Error-Message:
> 
> /Could not authenticate user Username%Password with plaintext password/
> challenge/response password authentication succeeded
> 
> Is this normal? How can I fix it? The Response seems to work correctly.

  It's a Samba issue.  Ask the Samba people.

> In my default ntlm_auth, the option
> "/--domain=%{%{mschap:NT-Domain}:-*MYDOMAIN*}" /is missing. Should i add it?

  Sure.  It's more needed if you use multiple domains.

> Actually i`m using my default uncommented ntlm_auth. So, i`m going to
> test the MS-CHAP authentification reuqest with this command:
> 
> /$ radtest -t mschap bob hello localhost 0 testing123/
> //
> /And i`m getting this Error-Message:/
> //
> /Sending Access-Request of id 251 to 127.0.0.1 port 1812

Run the server in debugging mode as suggested in the FAQ,
"man" page, web pages, and daily on this list.  Do NOT look at the
client output.  It's unimportant.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius 2.1.12 Second LDAP Server

2013-09-16 Thread Beliars Fire 
Hi,
 
thanks for the Help. Actually im decided to create a new VM and reinstall the 
complete Server. I`m following the complete How-To, but i`m getting two 
different Errors.
 
The First One is this:
 
It`s under the first Point: Configuring Authentification with Active Directory 
I`m startet the Samba and Kerberos Services und used this Command:
 
net join -U MyAdministrator

> Worked. I`m getting this Message: 
Using short domain name -- MYDomain
Joined 'UBUNTU' to realm 'MYDomain'
 
The next Step wbinfo -a user%password works too, but i`m getting this 
Error-Message:
 
Could not authenticate user Username%Password with plaintext password
challenge/response password authentication succeeded

Is this normal? How can I fix it? The Response seems to work correctly.
 
 
The Second One is this:
 
It`s the last Point on this Page: Configuring FreeRadius to use ntml_auth for 
MS-CHAP
 
In this Step, i must edit the following line with this text in the file: 
/etc/freeradius/modules/mschap
 
ntlm_auth = "/path/to/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
 
But my default commented ntml_auth looks like this:
 
 ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
--challenge=%{%{mschap:Challenge}:-00} 
--nt-response=%{%{mschap:NT-Response}:-00}"  
 
In my default ntlm_auth, the option "--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}" 
is missing. Should i add it?
 
Actually i`m using my default uncommented ntlm_auth. So, i`m going to test the 
MS-CHAP authentification reuqest with this command:
 
$ radtest -t mschap bob hello localhost 0 testing123
 
And i`m getting this Error-Message:
 
Sending Access-Request of id 251 to 127.0.0.1 port 1812
 User-Name = "bob"
 NAS-IP-Address = 127.0.1.1
 NAS-Port = 0
 Message-Authenticator = 0x
 MS-CHAP-Challenge = 0x01774f129c72245c
 MS-CHAP-Response = 
0x000124ff68dcea66e8348622a45aa91804201f2102e9ecc0add6
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=251, length=38
 MS-CHAP-Error = "\000E=691 R
 
/etc/freeradius/users
 
First Line:
bob Cleartext-Password := "hello" 
#
# Please read the documentation file ../doc/processing_users_file,
# or 'man 5 users' (after installing the server) for more information.
#

 
@Mathieu
Is there a current RADIUS-book that you can recommend?
 
-- BeliarsFire-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-14 Thread Mathieu Simon 
Hi

While I generally chime in with Alan's later message, one important you
should start reading about and differentiating
is Authentication and Authorization (the later is Accounting of AAA with
RADIUS).

While you can do Authorization using LDAP with AD, you can't do the
Authentication part using LDAP against AD.
Using Samba and ntlm_auth is the way to go, that due to to how AD stores
passwords.

Read deployingradius.com, specially the compatibility matrix and
"Authentication Systems and Password Compatibility".

You may do LDAP load balancing on the authorization part, but ntlm_auth and
balancing / failover is done by Samba.
Otherwise if you want to go deeper, get a RADIUS book :-) I can confirm
that the initial curve may be a bit steep if you
haven't done any RADIUS before, but it's well worth since it gets you
better overall understanding  on AAA and RADIUS, that will
definitely help if something goes belly up.

-- Mathieu
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-13 Thread Alan DeKok 
Beliars Fire wrote:
> -> I`m worked to this Tutorial Step-by-Step. On the last two steps, i`m
> configured Freeradius to use ntlm_auth > This was obviousy wrong, cause
> i want to implement LDAP-Severs.

  Please, don't think you're smarter than people with decades more
experience than you.  It's not polite.

  Follow the instructions in the web page.  Why?  Because they work.

  If you get rid of ntlm_auth, then your users won't be able to
authenticate using 802.1X.

> DEFAULT Auth-Type = ntlm_auth /# > Change it to LDAP, right?/

  No.  Follow the web page.

  If you're not going to follow instructions, then there's no point in
asking questions on this list.

> ... /# Did i need these Settings in this Version?/

  No.

> */etc/freeradius/sites-enabled/inner-tunnel*
> ...
> authenticate {
> ntlm_auth /# Change it to LDAP, right?/

  No.

> ...
> 
> _I`m editing this file, after your Post:_
> 
> */etc/freeradius/users*
> 
> DEFAULT Auth-Type = ldap

  No.

> /After changing, I`m getting this Error:/
> //etc/freeradius/users[1]: Parse error (check) for entry DEFAULT:
> Unknown value ldap for attribute Auth-Type
> /
> /So, ldap isn`t possible as Auth-Type? Which one i`must using?/

  It's possible.  But it won't work for you.  So don't do it.

> Thanks for Help! I´m working with Linux since 4 weeks, so its hard to be
> aware of all functions of Freeradius and Linux.

  It's dead simple.  Follow the web page.  It has step by step
instructions for how to get it to work.  The instructions are correct.
Anyone who knows how to use a text editor can follow them.

  The point of documentation is so non-experts can get things done.  If
you're going to ignore the documentation, then you're on your own.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-12 Thread Arran Cudbard-Bell 

>  It's like you're asking for flying lessons, and showing up with a
> bicycle.  There's a bit of a disconnect somewhere.

Not true, they make these awesome little fold up bikes you can chuck in the 
back of the plane.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius 2.1.12 Second LDAP Server

2013-09-12 Thread Kevin Bigalke 
Hello,
i`m
 running a Freeradius Server 2.1.12 on a  Ubuntu 13.04 VM. The Login 
with 802.1 works perfectly. I`m using a Windows LDAP Server for the 
Login and want to add a second LDAP-Server for a Fail Over. I`m 
following the Tutorials to setup my Freeradius Server: *Click*. I`cant find a 
suitable Tutorial to adding a second LDAP Server for a Fail Over. Which files 
are responsible for the integration of a second LDAP server? These are my 
current Settings:


 
/etc/freeradius/modules/ldap:
 
ldap ldap1 {
server = "serv01.xyz.local"


basedn = "dc=xyz,dc=local"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

ldap_connections_number = 5
timeout = 4
timelimit = 3


net_timeout = 1
 
tls {

   start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap


edir_account_policy_check = no
 
set_auth_type = no

keepalive {
   # LDAP_OPT_X_KEEPALIVE_IDLE
   idle = 60


 
   # LDAP_OPT_X_KEEPALIVE_PROBES
   probes = 3


 
   # LDAP_OPT_X_KEEPALIVE_INTERVAL
   interval = 3


}
}
 
ldap ldap2 {
server = "serv02.xyz.local"


basedn = "dc=xyz,dc=local"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

ldap_connections_number = 5
timeout = 4
timelimit = 3


net_timeout = 1
 
tls {

   start_tls = no
 
}
 


dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no

set_auth_type = no
 
keepalive {
   # LDAP_OPT_X_KEEPALIVE_IDLE


   idle = 60
 
   # LDAP_OPT_X_KEEPALIVE_PROBES


   probes = 3
 
   # LDAP_OPT_X_KEEPALIVE_INTERVAL


   interval = 3
}
}
 
/etc/samba/smb.conf:

 
[global]
workgroup = XYZ
 dns proxy = no
 
  security = ads

password server = serv01.xyz.local 
password server = serv02.xyz.local
winbind separator = +


 
 
/etc/freeradius/sites-enabled/inner-tunnel:

 
authenticate {
ntlm_auth
…

 
 
/etc/freeradius/sites-enabled/default:
 

authenticate {
ntlm_auth
…
 

/etc/freeradius/users:
DEFAULT Auth-Type = ntlm_auth
 

Thanks for Help!
BeliarsFire
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-12 Thread Alan DeKok 
Kevin Bigalke wrote:
> i`m running a Freeradius Server 2.1.12 on a  Ubuntu 13.04 VM. The Login
> with 802.1 works perfectly. I`m using a Windows LDAP Server for the
> Login and want to add a second LDAP-Server for a Fail Over. I`m
> following the Tutorials to setup my Freeradius Server: **Click
> **. I`cant find a suitable Tutorial to
> adding a second LDAP Server for a Fail Over. Which files are responsible
> for the integration of a second LDAP server?

  raddb/modules/ldap

> These are my current Settings:

  That seems reasonable.

> */etc/samba/smb.conf*:

  Which largely doesn't matter for FreeRADIUS.

> */etc/freeradius/sites-enabled/inner-tunnel:*
>  
> authenticate {
> ntlm_auth

  So... you're not using LDAP.

  Let's start from the beginning.  What, exactly are you trying to do?
What have you done?  Why did you think that would work?

  Be specific.

  In short, you *can't* do LDAP fail-over if you're using ntlm_auth.
That's because ntlm_auth interacts with Samba.  And you have *no* LDAP
configuration in the "authorize" section.  And Samba takes care of
Samba-related fail-overs, so LDAP isn't necessary.

  It's like you're asking for flying lessons, and showing up with a
bicycle.  There's a bit of a disconnect somewhere.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-12 Thread Arran Cudbard-Bell 

On 12 Sep 2013, at 15:47, Kevin Bigalke  wrote:

> Hello,
> i`m running a Freeradius Server 2.1.12 on a  Ubuntu 13.04 VM. The Login with 
> 802.1 works perfectly. I`m using a Windows LDAP Server for the Login and want 
> to add a second LDAP-Server for a Fail Over. I`m following the Tutorials to 
> setup my Freeradius Server: *Click*. I`cant find a suitable Tutorial to 
> adding a second LDAP Server for a Fail Over. Which files are responsible for 
> the integration of a second LDAP server? These are my current Settings:

ldap {
server = "serv01.xyz.local,serv02.xyz.local"
...
}

libldap handles failover.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.12 Second LDAP Server

2013-09-12 Thread Arran Cudbard-Bell 

On 12 Sep 2013, at 16:29, Arran Cudbard-Bell  wrote:

> 
>> It's like you're asking for flying lessons, and showing up with a
>> bicycle.  There's a bit of a disconnect somewhere.
> 
> Not true, they make these awesome little fold up bikes you can chuck in the 
> back of the plane.

Still trying to come up with a justification for an rlm_avionics module.

Arran Cudbard-Bell 
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html