Can't figure out Group Authentication
Hi! i am kindly asking for help or pointing right way to solve this problem. Right now we are using LDAP for authentication to IBM products. Last thing we try to do is use Freeradius on same LDAP schema for wireless purposes (Cisco network). We didn't have problems with basic authentication, but when we try to implement Groups in same way than we used before we hit a hard rock. Our LDAP schema looks like: ou= entries + ou= groups + ou=services + cn=wireless -> uniquemember : uid=user0001, ou=users, ou=entries uniquemember : uid=user0002, ou=users, ou=entries + ou=users + uid = user0001 mail = us...@firm.com pass: something + uid = user0002 mail = us...@firm.com pass: something We are authenticating user by mail and password attribute. Is it possible to make search to met this criterias? Thank you and have a nice day. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Il 26/06/2012 17:14, Julson, Jim ha scritto:
> Forgive my ignorance, but the variable that you are suggesting I use
> would be something that I had to create locally on my RADIUS servers
> right? The idea is that we use our central point of management which
> in our case is Active Directory.
You have to define a local variable to hold the group name (or the group
SID, but while making auth faster it makes management harder). Then
assign to it a value based on where you receive your request from (a
switch, a "public" server, a "private" server, a VPN endpoint...) and
pass it to ntlm_auth in -require-membership-of option.
If the user trying to access is not in that group, he's denied access
(ntlm_auth checks group membership in AD).
> We have hundreds of servers
> ranging from RHEL 3 up to Ubuntu 12.04 as well as Windows boxes.
> So managing groups on a "per radius server" basis isn't really a
> good choice from a management perspective. Using the Active
> Directory domain, we can have our admins move folks in and out
> of groups as necessary.
That's exactly what AD is for. But I usually join the PCs to it so I can
have better integration (one for all: AD groups gets mapped to Unix groups).
> Did I understand your suggestion right?
I don't think so.
> Or is that variable "--require-membership-of="
That's not a variable, that's a parameter for ntlm_auth.
> something that can help me achieve what I want to do?
It restrict access to members of that group. IIUC that's what you need.
> I thought I had to use LDAP for Group Authorization...
You don't need to. At least not for such a basic thing.
To be more clear (not actually tested):
1) add "ATTRIBUTE Require-Group 3000 string" to dictionary
2) add "DEFAULT Require-Group := 'default-ad-group'" to users
3) change ntlm_auth line in modules/mschap to include
"--require-membership-of=%{Require-Group}"
Now restart FR and it should accept only users in 'default-ad-group'.
If it's OK. now you have to find "some way" to differentiate the NAS (or
NAS group) from where the user is requesting access and use unlang to
change Require-Group value as needed.
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
I appreciate the configuration and the help.
Unfortunately the syntax will be a little different for the LDAP module since
I'm querying a Microsoft Active Directory and not an OpenLDAP Server. The
filters, access attributes and other various settings are completely different
from what Microsoft passes in their LDAP Attributes.
Again, thank you for the input though. If anyone else has what they use for
their Filters, I'd absolutely appreciate a working reference from
/etc/raddb/modules/ldap . I think that's my one main problem.
Thanks!
From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org
[mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On
Behalf Of dhanushka ranasinghe
Sent: Tuesday, June 26, 2012 9:51 PM
To: FreeRadius users mailing list
Subject: Re: Can't figure out Group Authentication
Hi...
i able to get the openldap group authentication + PAP with radius , i used
the following settings ,
in users file ,
DEFAULT Ldap-Group == "cn=staff,ou=groups,dc=openldap,dc=ihk,dc=com"
Reply-Message = "You are Accepted"
DEFAULT Auth-Type := Reject
and in /etc/freeradius/moduls/ldap
server = "ldap.ihx.com<http://ldap.ihx.com>"
identity = "cn=admin,dc=openldap,dc=ihx,dc=com"
password = abc
basedn = "dc=openldap,dc=ihx,dc=com"
filter = "(mail=%{Stripped-User-Name:-%{User-Name}})"
access_attr = "mail"
authtype = ldap
and uncomment the following lines in the /etc/freeradius/modules/ldap
groupname_attribute
groupmembership_filter
groupmembership_attribute
hope this helps,
Thank You
On 26 June 2012 20:44, Julson, Jim
mailto:jjul...@marketron.com>> wrote:
Forgive my ignorance, but the variable that you are suggesting I use would be
something that I had to create locally on my RADIUS servers right? The idea is
that we use our central point of management which in our case is Active
Directory. We have hundreds of servers ranging from RHEL 3 up to Ubuntu 12.04
as well as Windows boxes. So managing groups on a "per radius server" basis
isn't really a good choice from a management perspective. Using the Active
Directory domain, we can have our admins move folks in and out of groups as
necessary.
Did I understand your suggestion right? Or is that variable
"--require-membership-of=" something that can help me achieve what I want to
do? I thought I had to use LDAP for Group Authorization...
-Original Message-
From:
freeradius-users-bounces+jjulson=marketron@lists.freeradius.org<mailto:marketron@lists.freeradius.org>
[mailto:freeradius-users-bounces+jjulson<mailto:freeradius-users-bounces%2Bjjulson>=marketron@lists.freeradius.org<mailto:marketron@lists.freeradius.org>]
On Behalf Of NdK
Sent: Tuesday, June 26, 2012 3:36 AM
To:
freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org>
Subject: Re: Can't figure out Group Authentication
Il 22/06/2012 17:32, Julson, Jim ha scritto:
> Now, the problem is this. Following Alan DeKok's guide at
> http://deployingradius.com/documents/configuration/active_directory.html, I
> was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal
> effort. There were a few things I had to go elsewhere to figure out, but I
> managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I was
> able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS
> server will be for authenticating users on all of our Cisco devices, as well
> as remote access VPN users. So the problem is this. It's authenticating...a
> little too well.
Why not add a "default group" var (to be overridden for specific
clients) and pass it to ntlm_auth in "--require-membership-of="
parameter? That way you can filter who can authenticate from any NAS.
And IIUC huntgroups, you can even define groups of clients...
Please correct me if I'm wrong.
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information contained in this e-mail message may be confidential and
protected from disclosure. If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information contained in this e-mail message may be confidential and
protected from disclosure. If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Hi...
i able to get the openldap group authentication + PAP with radius , i
used the following settings ,
in users file ,
DEFAULT Ldap-Group == "cn=staff,ou=groups,dc=openldap,dc=ihk,dc=com"
Reply-Message = "You are Accepted"
DEFAULT Auth-Type := Reject
and in /etc/freeradius/moduls/ldap
server = "ldap.ihx.com"
identity = "cn=admin,dc=openldap,dc=ihx,dc=com"
password = abc
basedn = "dc=openldap,dc=ihx,dc=com"
filter = "(mail=%{Stripped-User-Name:-%{User-Name}})"
access_attr = "mail"
authtype = ldap
and uncomment the following lines in the /etc/freeradius/modules/ldap
groupname_attribute
groupmembership_filter
groupmembership_attribute
hope this helps,
Thank You
On 26 June 2012 20:44, Julson, Jim wrote:
> Forgive my ignorance, but the variable that you are suggesting I use would
> be something that I had to create locally on my RADIUS servers right? The
> idea is that we use our central point of management which in our case is
> Active Directory. We have hundreds of servers ranging from RHEL 3 up to
> Ubuntu 12.04 as well as Windows boxes. So managing groups on a "per radius
> server" basis isn't really a good choice from a management perspective.
> Using the Active Directory domain, we can have our admins move folks in
> and out of groups as necessary.
>
> Did I understand your suggestion right? Or is that variable
> "--require-membership-of=" something that can help me achieve what I want
> to do? I thought I had to use LDAP for Group Authorization...
>
> -Original Message-
> From:
> freeradius-users-bounces+jjulson=marketron@lists.freeradius.org[mailto:
> freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On
> Behalf Of NdK
> Sent: Tuesday, June 26, 2012 3:36 AM
> To: freeradius-users@lists.freeradius.org
> Subject: Re: Can't figure out Group Authentication
>
> Il 22/06/2012 17:32, Julson, Jim ha scritto:
>
> > Now, the problem is this. Following Alan DeKok's guide at
> http://deployingradius.com/documents/configuration/active_directory.html,
> I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal
> effort. There were a few things I had to go elsewhere to figure out, but I
> managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I
> was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This
> RADIUS server will be for authenticating users on all of our Cisco devices,
> as well as remote access VPN users. So the problem is this. It's
> authenticating...a little too well.
>
>
>
> Why not add a "default group" var (to be overridden for specific
> clients) and pass it to ntlm_auth in "--require-membership-of="
> parameter? That way you can filter who can authenticate from any NAS.
> And IIUC huntgroups, you can even define groups of clients...
>
> Please correct me if I'm wrong.
>
> BYtE,
> Diego.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> The information contained in this e-mail message may be confidential and
> protected from disclosure. If you are not the intended recipient, any
> dissemination, distribution or copying is strictly prohibited. If you
> think that you have received this e-mail message in error, please notify
> the sender immediately by replying to this message and then delete it
> from your system.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
Forgive my ignorance, but the variable that you are suggesting I use would be something that I had to create locally on my RADIUS servers right? The idea is that we use our central point of management which in our case is Active Directory. We have hundreds of servers ranging from RHEL 3 up to Ubuntu 12.04 as well as Windows boxes. So managing groups on a "per radius server" basis isn't really a good choice from a management perspective. Using the Active Directory domain, we can have our admins move folks in and out of groups as necessary. Did I understand your suggestion right? Or is that variable "--require-membership-of=" something that can help me achieve what I want to do? I thought I had to use LDAP for Group Authorization... -Original Message- From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of NdK Sent: Tuesday, June 26, 2012 3:36 AM To: freeradius-users@lists.freeradius.org Subject: Re: Can't figure out Group Authentication Il 22/06/2012 17:32, Julson, Jim ha scritto: > Now, the problem is this. Following Alan DeKok's guide at > http://deployingradius.com/documents/configuration/active_directory.html, I > was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal > effort. There were a few things I had to go elsewhere to figure out, but I > managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I was > able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS > server will be for authenticating users on all of our Cisco devices, as well > as remote access VPN users. So the problem is this. It's authenticating...a > little too well. Why not add a "default group" var (to be overridden for specific clients) and pass it to ntlm_auth in "--require-membership-of=" parameter? That way you can filter who can authenticate from any NAS. And IIUC huntgroups, you can even define groups of clients... Please correct me if I'm wrong. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Il 22/06/2012 17:32, Julson, Jim ha scritto: > Now, the problem is this. Following Alan DeKok's guide at > http://deployingradius.com/documents/configuration/active_directory.html, I > was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal > effort. There were a few things I had to go elsewhere to figure out, but I > managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I was > able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS > server will be for authenticating users on all of our Cisco devices, as well > as remote access VPN users. So the problem is this. It's authenticating...a > little too well. Why not add a "default group" var (to be overridden for specific clients) and pass it to ntlm_auth in "--require-membership-of=" parameter? That way you can filter who can authenticate from any NAS. And IIUC huntgroups, you can even define groups of clients... Please correct me if I'm wrong. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
Thank you once again Alan. I know you probably have to "face palm" yourself sometimes when you see the same questions over and over. I appreciate your patience with me. I don't want someone to do it for me, I want to learn it so I can support it. I have decided to start fresh. I had clean copies of every file I've ever touched, so I'm going to try to tackle this sometime during the week. This Amazon AWS Cloud VPC isn't going to build itself :) -Original Message- From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, June 25, 2012 6:54 AM To: FreeRadius users mailing list Subject: Re: Can't figure out Group Authentication Julson, Jim wrote: > Okay, so I think I’m getting closer. But I have a few challenges > still. I am slowly learning how to parse the RADIUS –X debug output, > now it’s a matter of knowing what to do with the information. Use the handy form at: networkradius.com/freeradius.html It tells you the important things to look at. > 1. Domain Groups with spaces sometimes would or wouldn't work. (Is > that the case with FreeRADIUS?) It shouldn't be, but you never know. > 2. Recursive searches were a problem. See below for how the basic > Active Directory structure looks for us (Note the spaces in the names). > For Cacti, I had to create a new OU, with a new Security Group that > didn’t have spaces in it. That was the only way I could get LDAP > Binds to work for Group Authentication. (I find it hard to belive > that’s the case with FreeRADIUS…I tend to lean more towards my bad > configuration). Recursive searches are supported in FreeRADIUS. See the "rebind" configuration in the ldap module. > So, in that example, if I wanted to have a user be Authenticated who > resides in “ADMIN – Users”, but the group is in “ADMIN – Groups”, does > it matter to the RADIUS LDAP module? It shouldn't. > NOTE: I am kind of lost here. I see so many people using so many > different syntaxes that I’m not sure if I’m using the right one. The documentation is correct. Almost every third-party site is wrong. > At > present, the “users” file is completely default except for the following > lines I’ve added at the very top. So, no matter what my LDAP output > shows, If I uncomment the two lines for ntlm_auth, I can login with > any Domain User regardless of the top 2 lines that say “Domain > Admins”, and all others are rejected. So I’m thinking ultimately my > problem is not just here, but also with the LDAP bind taking place as you can > see below. > ** > */etc/raddb/users** * > > DEFAULT Ldap-Group == "CN=Domain Admins,CN=ADMIN - > Groups,DC=DOMAIN,DC=HOME,DC=COM", You just need the group name "admin" or "sales". Not the whole path. > Auth-Type = ntlm_auth > DEFAULT Auth-Type = Reject You don't need the default reject. The server will ALWAYS reject people it doesn't know. > Here’s the RADIUSD –X output from my last auth attempt. > > BEGIN RADIUS – X DEBUG OUTPUT > NOTE: I’ve changed all my domain information for this > troubleshooting, and also highlighted anywhere it’s referenced. I’m > hoping I’m On the right track with what I’ve highlighted below as to > where I believe the problem is. Part of the reason for the debug output is to show you what's going on. It prints out the LDAP queries it does. You can copy them, and use them in command-line tests with "ldapsearch". That helps. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Julson, Jim wrote: > Okay, so I think I’m getting closer. But I have a few challenges > still. I am slowly learning how to parse the RADIUS –X debug output, > now it’s a matter of knowing what to do with the information. Use the handy form at: networkradius.com/freeradius.html It tells you the important things to look at. > 1. Domain Groups with spaces sometimes would or wouldn't work. (Is > that the case with FreeRADIUS?) It shouldn't be, but you never know. > 2. Recursive searches were a problem. See below for how the basic > Active Directory structure looks for us (Note the spaces in the names). > For Cacti, I had to create a new OU, with a new Security Group that > didn’t have spaces in it. That was the only way I could get LDAP Binds > to work for Group Authentication. (I find it hard to belive that’s the > case with FreeRADIUS…I tend to lean more towards my bad configuration). Recursive searches are supported in FreeRADIUS. See the "rebind" configuration in the ldap module. > So, in that example, if I wanted to have a user be Authenticated who > resides in “ADMIN – Users”, but the group is in “ADMIN – Groups”, does > it matter to the RADIUS LDAP module? It shouldn't. > NOTE: I am kind of lost here. I see so many people using so many > different syntaxes that I’m not sure if I’m using the right one. The documentation is correct. Almost every third-party site is wrong. > At > present, the “users” file is completely default except for the following > lines I’ve added at the very top. So, no matter what my LDAP output > shows, If I uncomment the two lines for ntlm_auth, I can login with any > Domain User regardless of the top 2 lines that say “Domain Admins”, and > all others are rejected. So I’m thinking ultimately my problem is not > just here, but also with the LDAP bind taking place as you can see below. > ** > */etc/raddb/users** * > > DEFAULT Ldap-Group == "CN=Domain Admins,CN=ADMIN - > Groups,DC=DOMAIN,DC=HOME,DC=COM", You just need the group name "admin" or "sales". Not the whole path. > Auth-Type = ntlm_auth > DEFAULT Auth-Type = Reject You don't need the default reject. The server will ALWAYS reject people it doesn't know. > Here’s the RADIUSD –X output from my last auth attempt. > > BEGIN RADIUS – X DEBUG OUTPUT > NOTE: I’ve changed all my domain information for this troubleshooting, > and also highlighted anywhere it’s referenced. I’m hoping I’m > On the right track with what I’ve highlighted below as to where I > believe the problem is. Part of the reason for the debug output is to show you what's going on. It prints out the LDAP queries it does. You can copy them, and use them in command-line tests with "ldapsearch". That helps. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
Okay, so I think I'm getting closer. But I have a few challenges still. I am
slowly learning how to parse the RADIUS -X debug output, now it's a matter of
knowing what to do with the information.
I know that when I've setup Cacti servers or other Linux based servers that
bind to LDAP, I've had problems with 2 different facets of the implementation.
1. Domain Groups with spaces sometimes would or wouldn't work. (Is that the
case with FreeRADIUS?)
2. Recursive searches were a problem. See below for how the basic Active
Directory structure looks for us (Note the spaces in the names). For Cacti, I
had to create a new OU, with a new Security Group that didn't have spaces in
it. That was the only way I could get LDAP Binds to work for Group
Authentication. (I find it hard to belive that's the case with FreeRADIUS...I
tend to lean more towards my bad configuration).
DOMAIN.EXAMPLE.COM
ADMIN - Users
ADMIN - Groups
ADMIN - Servers
Computers
Users
Domain Controllers
Built-In
Etc..
So, in that example, if I wanted to have a user be Authenticated who resides in
"ADMIN - Users", but the group is in "ADMIN - Groups", does it matter to the
RADIUS LDAP module?
Now, in /etc/raddb/modules/ldap , we would have the binding setup as follows.
Note that the Base DN is the top level of the domain because it has to be able
to recursively search all sub-OU's to find both users, and groups.
**
/etc/raddb/modules/ldap
server = "172.16.5.200"
identity = "CN=Administrator,CN=Users,DC=DOMAIN,DC=EXAMPLE,DC=COM"
password = MyPasswordForBIND
basedn = "DC=DOMAIN,DC=EXAMPLE,DC=COM"
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"
#filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
#base_filter = "(objectclass=radiusprofile)"
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=group)(member=%Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
**
NOTE: I am kind of lost here. I see so many people using so many different
syntaxes that I'm not sure if I'm using the right one. At present, the "users"
file is completely default except for the following lines I've added at the
very top. So, no matter what my LDAP output shows, If I uncomment the two
lines for ntlm_auth, I can login with any Domain User regardless of the top 2
lines that say "Domain Admins", and all others are rejected. So I'm thinking
ultimately my problem is not just here, but also with the LDAP bind taking
place as you can see below.
**
/etc/raddb/users
DEFAULT Ldap-Group == "CN=Domain Admins,CN=ADMIN -
Groups,DC=DOMAIN,DC=HOME,DC=COM", Auth-Type = ntlm_auth
DEFAULT Auth-Type = Reject
#DEFAULTAuth-Type = ntlm_auth
# Reply-Message = "You have been successfully authenticated! "
**
Here's the checklist of what I've done.
1. Added an entry simply as "ldap" under the "Instantiate" section in
/etc/raddb/radiusd.conf
2. Added the LDAP information as shown above in /etc/raddb/modules/ldap
3. Configured ntlm_auth under /etc/raddb/modules/ntlm_auth
4. Configured the mschap module under /etc/raddb/modules/mschap
5. Added a list of clients who can authenticate in /etc/raddb/clients.conf
6. Added an entry to check against LDAP groups in /etc/raddb/users (I
believe this is still a problem for me. I don't think I have it configured
properly. I think I need to visually see an example as it's just not
"clicking" with me for some reason.
Here's the RADIUSD -X output from my last auth attempt.
BEGIN RADIUS - X DEBUG OUTPUT
NOTE: I've changed all my domain information for this troubleshooting, and
also highlighted anywhere it's referenced. I'm hoping I'm
On the right track with what I've highlighted below as to where I believe the
problem is.
###
###
###
###
rad_recv: Access-Request packet from host 10.10.0.5 port 1645, id=72, length=73
User-Name = "USERNAMEHERE"
User-Password = "PASSWORDOMMITTED&quo
RE: Can't figure out Group Authentication
Alan, That was about the most clear and concise description of the process I've found/heard to date. Thank you for taking the time to educate me. I will attempt to get this going today. I think I have everything that I need at this point. Have a good one. -Original Message- From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, June 23, 2012 6:22 AM To: FreeRadius users mailing list Subject: Re: Can't figure out Group Authentication Julson, Jim wrote: > Now, I then setup my Cisco router accordingly, and then did an SSH > test to it using my AD Account. Voila! It worked great. _*/However, > so did every other "Domain User" account in the environment. /*_ This > goes back to me being so new to RADIUS and Linux where I don't feel > like I'm fully grasping all of the directives within the configuration > files, and exactly how they all tie together. Honestly, I don't remember much of that, either. When I configure the server, I usually go back and read the comments *I wrote* to figure out what to do. But for your issue, you told the server to "use AD to authenticate all users". So that's what it did. > *So, how do I lock down the SSH Authentication to an Active Directory > Group of users, or individual users? * Remember, go easy on me. I'll > provide whatever you need to help. I'm assuming you will ask for my > RADIUSD -X output, so I've attached that as well. 1) configure AD as an LDAP server. See raddb/modules/ldap 2) add "ldap" to the "instantiate" section of radiusd.conf There are references to "ldap" in "authorize" and "authentication" You won't need those. 3) Do group checking with LDAP-Group == "group name" See the FAQ for examples of rejecting users with a particular group. The FAQ uses "Group", which is "Unix group from /etc/passwd". Just use LDAP-Group instead. > NOTE: One thing I don't understand is how in Alan DeKok's write up from > the link above, he says don't use the "DEFAULTAuth-Type = ntlm_auth" > in the "/etc/raddb/users" file, but yet that's one of the final steps > to test in the write-up. It's an intermediate step. It's necessary only when you're forcing authentication back-ends. > Maybe it's because I am so new, but I've been through that document > probably 30 times line by line, and yet every time I remove that > entry, it breaks the Authentication. Yes. The server needs to now HOW to authenticate the users. The incoming RADIUS packet contains what KIND of authentication method. PAP, CHAP, MS-CHAP, etc. So the server has no choice there. But where does it get the passwords from? Normally this is a DB. But AD isn't a DB (for various reasons). Instead, the "Auth-Type = ntlm_auth" reformats and *proxies* the authentication over the Samba protocol, using the ntlm_auth program. i.e. it hands off the MSCHAP stuff to ntlm_auth, and asks "is this correct?" If the server has passwords from a DB, it can just authenticate the user directly. If it doesn't have a password for that user, it has to hand off the authentication to someone else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Julson, Jim wrote: > Now, I then setup my Cisco router accordingly, and then did an SSH test > to it using my AD Account. Voila! It worked great. _*/However, so did > every other "Domain User" account in the environment. /*_ This goes > back to me being so new to RADIUS and Linux where I don't feel like I'm > fully grasping all of the directives within the configuration files, and > exactly how they all tie together. Honestly, I don't remember much of that, either. When I configure the server, I usually go back and read the comments *I wrote* to figure out what to do. But for your issue, you told the server to "use AD to authenticate all users". So that's what it did. > *So, how do I lock down the SSH Authentication to an Active Directory > Group of users, or individual users? * Remember, go easy on me. I'll > provide whatever you need to help. I'm assuming you will ask for my > RADIUSD -X output, so I've attached that as well. 1) configure AD as an LDAP server. See raddb/modules/ldap 2) add "ldap" to the "instantiate" section of radiusd.conf There are references to "ldap" in "authorize" and "authentication" You won't need those. 3) Do group checking with LDAP-Group == "group name" See the FAQ for examples of rejecting users with a particular group. The FAQ uses "Group", which is "Unix group from /etc/passwd". Just use LDAP-Group instead. > NOTE: One thing I don't understand is how in Alan DeKok's write up from > the link above, he says don't use the "DEFAULTAuth-Type = ntlm_auth" > in the "/etc/raddb/users" file, but yet that's one of the final steps to > test in the write-up. It's an intermediate step. It's necessary only when you're forcing authentication back-ends. > Maybe it's because I am so new, but I've been > through that document probably 30 times line by line, and yet every time > I remove that entry, it breaks the Authentication. Yes. The server needs to now HOW to authenticate the users. The incoming RADIUS packet contains what KIND of authentication method. PAP, CHAP, MS-CHAP, etc. So the server has no choice there. But where does it get the passwords from? Normally this is a DB. But AD isn't a DB (for various reasons). Instead, the "Auth-Type = ntlm_auth" reformats and *proxies* the authentication over the Samba protocol, using the ntlm_auth program. i.e. it hands off the MSCHAP stuff to ntlm_auth, and asks "is this correct?" If the server has passwords from a DB, it can just authenticate the user directly. If it doesn't have a password for that user, it has to hand off the authentication to someone else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
You rock man ! I will dive deeper into this and see what I can conjur up. Thanks again for the time. I've been looking through the list archives for days and haven't found anything "direct" that could point me in this direction. Then again, I probably passed over it many times just because I'm so burnt out on this :) Have a good weekend. -Original Message- From: alan buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: Friday, June 22, 2012 3:15 PM To: Julson, Jim Cc: freeradius-users@lists.freeradius.org Subject: Re: Can't figure out Group Authentication Hi, >Any hints as to where I’d possibly begin? if you want to use LDAP to define./check groups, then you need to look at the LDAP module - if you look at this module you can see how to configure it , its fairly well self-documented and there are LDAP HOWTOs and docs on the main freeradius document sites. alternatively, you could use eg PERL and the LDAP CPAN module to do the work in that instead. alan The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Hi, >Any hints as to where I’d possibly begin? if you want to use LDAP to define./check groups, then you need to look at the LDAP module - if you look at this module you can see how to configure it , its fairly well self-documented and there are LDAP HOWTOs and docs on the main freeradius document sites. alternatively, you could use eg PERL and the LDAP CPAN module to do the work in that instead. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
Any hints as to where I’d possibly begin? I might be able to stumble through it if I at least knew what files I had to edit I think. From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: Friday, June 22, 2012 2:36 PM To: Julson, Jim; freeradius-users@lists.freeradius.org Subject: Re: Can't figure out Group Authentication You've got to set up some group checking...you haven't, so ldap-group means nothing to the server so you hit the default reject that you added... alan The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
You've got to set up some group checking...you haven't, so ldap-group means nothing to the server so you hit the default reject that you added... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can't figure out Group Authentication
First, I'd like to thank Alan for his beyond countless hours of dedication to
all the blogs, forum posting, and general support within the community. Your
write-ups are thorough and well thought out. I wish more people were like you.
I'm pretty new to RADIUS and as consequently, Linux in general. So I might
ask questions that seem noobish or lame, but it doesn't mean I'm not willing to
learn, research etc. Just bare with me.
Now, the problem is this. Following Alan DeKok's guide at
http://deployingradius.com/documents/configuration/active_directory.html, I was
able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort.
There were a few things I had to go elsewhere to figure out, but I managed. I
have FreeRADIUS setup and authenticating using NTLM_AUTH. I was able to join
my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be
for authenticating users on all of our Cisco devices, as well as remote access
VPN users. So the problem is this. It's authenticating...a little too well.
I've added the following entry into "/etc/raddb/clients.conf" to allow AAA on
one of my cisco routers.
*
client 10.10.0.5 {
secret = REALSECRETOMMITTED
shortname = Cisco-2911-VPCRTR
nastype = cisco
}
*
Now, I then setup my Cisco router accordingly, and then did an SSH test to it
using my AD Account. Voila! It worked great. However, so did every other
"Domain User" account in the environment. This goes back to me being so new
to RADIUS and Linux where I don't feel like I'm fully grasping all of the
directives within the configuration files, and exactly how they all tie
together. I'm getting there, but just not fast enough.
So, how do I lock down the SSH Authentication to an Active Directory Group of
users, or individual users? Remember, go easy on me. I'll provide whatever
you need to help. I'm assuming you will ask for my RADIUSD -X output, so I've
attached that as well.
NOTE: One thing I don't understand is how in Alan DeKok's write up from the
link above, he says don't use the "DEFAULTAuth-Type = ntlm_auth" in the
"/etc/raddb/users" file, but yet that's one of the final steps to test in the
write-up. Maybe it's because I am so new, but I've been through that document
probably 30 times line by line, and yet every time I remove that entry, it
breaks the Authentication.
BEGIN RADIUSD -X DEBUG OUTPUT
**
**
**
FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Jul 19
2011 at 10:21:08
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/linelog
including configurati
RE: Domain Group Authentication
Automate an export of the list of WiFi MAC addresses of your managed computers from the DC. Then in post-auth, query that list (we use an SQL database) and use the result to alter the tunnel-group-ID sent back in the outer reply. Users can spoof their MAC addresses, of course, but as long as you are doing this mainly to contain contagion rather than high security, it is satisfactory. The other option in a managed environment is of course to use TLS for the managed computers and install certs. You could even embed the MAC address into the cert and check that that matches the Calling-Station-ID. Still spoofable, of course, but barring a hardware crypto solution, everything is to a pro. From: freeradius-users-bounces+bjulin=clarku@lists.freeradius.org [freeradius-users-bounces+bjulin=clarku@lists.freeradius.org] On Behalf Of McSparin, Joe [jmcspa...@hillcountrymemorial.org] Sent: Tuesday, December 27, 2011 5:51 PM To: FreeRadius users mailing list Subject: Domain Group Authentication I currently have FreeRadius setup to authenticate agains Active Directory and it works great. I was wondering though for everyone out there using it if you had any reccomendations for this scenario: I have users that will connect wirelessly using their NT domain username and password on the hospitals wireless devices. I also however have doctors that will bring in their own laptops and connect. When they connect with their laptops though I do not want them to have the same privileges as when they connect on the hospital wireless devices. If they are connecting with their laptops even though they use their Ntdomain user name and password I want to restrict them to a public vlan. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Domain Group Authentication
I currently have FreeRadius setup to authenticate agains Active Directory and it works great. I was wondering though for everyone out there using it if you had any reccomendations for this scenario: I have users that will connect wirelessly using their NT domain username and password on the hospitals wireless devices. I also however have doctors that will bring in their own laptops and connect. When they connect with their laptops though I do not want them to have the same privileges as when they connect on the hospital wireless devices. If they are connecting with their laptops even though they use their Ntdomain user name and password I want to restrict them to a public vlan. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org -- This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Two different sets of Group Authentication
Hi, Currently I am authenticating only One group of users in Cisco Switches group. Now, I have to add another VPN group and distinguish between two sets of group autentication , VPN Users, and Cisco switches. I'd like to control access to each of those separately (different AD Groups SIDs). Do i have to do somethinbg like creating two modules (ntlm_auth and ntlm_auth2) or two different mschap modules with respective ntlm_auth entries? Even then how would it differentiate between the two? Is defining huntgroups an option if using ntlm as Auth type? BR, Raheel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User + Password + MAC address group authentication
Aaron Jansen wrote:
>> For a user FreeRADIUS should check the user name, password, and the MAC
>> address. The MAC address can be one of many in a list stored in a
>> database. So, this is not about a single user logging in on only one
>> device.
Edit the SQL queries. They're text in a config file for a reason.
>> I have taken a look at the rad(group)check table, but it seems that ALL
>> attributes should check out alright for the user to be authenticated.
>> So, I cannot just simply add a list of all possible user/MAC
>> combinations.
You can also write SELECT statements in the config files.
authorize {
...
sql # see radcheck && radreply
# look up the Calling-Station-Id in the MAC table
if ("%{sql: SELECT mac from mac_table WHERE ... }") {
# mac was found
}
else {
reject # mac wasn't found
}
...
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User + Password + MAC address group authentication
On Thu, 2010-07-08 at 16:21 +0200, Aaron Jansen wrote: > Dear all, > > I would like to do the following: > > For a user FreeRADIUS should check the user name, password, and the MAC > address. The MAC address can be one of many in a list stored in a > database. So, this is not about a single user logging in on only one > device. > > I have taken a look at the rad(group)check table, but it seems that ALL > attributes should check out alright for the user to be authenticated. > So, I cannot just simply add a list of all possible user/MAC > combinations. > > How can I best achieve this? Any help would be appreciated. > > Best regards, > > Aaeron Jansen As extra information: I'm running FreeRADIUS 2.1.8 on Debian. Any help would be appreciated. -- Developer The IP Company BV Wattstraat 34 2171 TR Sassenheim The Netherlands Web: www.theipcompany.nl Mail: a...@theipcompany.nl Tel: +31(0) 85 1119120 (GMT+1) Fax: +31(0) 85 1119199 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User + Password + AMC address group authentication
John McDonnell wrote: > Just a quick question, I'm planning on adding a machine_name field to the > MAC address table in addition to the MAC addresses to make maintaining the > list (adding and removing MAC addresses with new machines coming in and > old ones going out) easier. Is there anything else that would be useful to > add to the table? Keep it simple. The simpler the table, the better. Things needed for your system are probably not needed for other systems. And the SQL schemas are editable for a reason: people can extend them locally. > Should I create an arbitrary key_id field or use the > mac_address field as the index or perhaps the machine name since laptops > and some other machines have multiple NICs? That's a good idea, and is widely useful. > I might add an asset_id field > as well since that would be easier for our users to read back to us > (sticker on the outside of the equipment) for troubleshooting when > checking to make sure their machine is entered properly in the database. That would probably be a local site extension. > Does this seem to make the most sense or would there be a better table > design that would be more efficient? Nope. 'id', 'mac', and 'machine' are pretty much it. > Granted, the only thing in the table > that will be regularly accessed will be the MAC address, the rest is just > for making maintaining the addresses easier and will only be accessed when > adding/removing/making sure MAC was entered correctly. Yup. If you come up with a schema && some useful queries, we can add them to the default examples that come with the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: User + Password + AMC address group authentication
> -Original Message-
> From: Alan DeKok
> Sent: Thursday, July 08, 2010 10:26 AM
> Aaron Jansen wrote:
> > For a user FreeRADIUS should check the user name, password, and the
> > MAC address. The MAC address can be one of many in a list stored in
> > a database. So, this is not about a single user logging in on only
> > one device.
This is something that I want to do here as well. I've seen the examples
for using a flat file to do this, but wanted to put it into a SQL database
for easier management, but also was not sure how to go about it and have
limited time right now for figuring it out.
> The existing tables are for specific purposes. If you need
> something else, don't use them.
>
> Create a table just for MAC addresses. Then, do:
>
> authorize {
> ...
>
>
> if ("%{sql:SELECT mac FROM mac_table WHERE...}") {
> # mac is known
> }
> else {
> # mac is unknown
> }
> ...
> }
>
> Run the SQL select by hand until you get it working, and then add
> it to the configuration file.
Having even a bit of an example like that really helps sometimes.
Especially since I only have a minor understanding (Just Enough to Be
Dangerous *TM) of SQL and FreeRADIUS. (The latter is getting better quite
regularly.) Though right now, we're quite busy and I'm not sure when I'll
get the chance to set this up, I'll be sure to share my findings when I
get the chance.
Just a quick question, I'm planning on adding a machine_name field to the
MAC address table in addition to the MAC addresses to make maintaining the
list (adding and removing MAC addresses with new machines coming in and
old ones going out) easier. Is there anything else that would be useful to
add to the table? Should I create an arbitrary key_id field or use the
mac_address field as the index or perhaps the machine name since laptops
and some other machines have multiple NICs? I might add an asset_id field
as well since that would be easier for our users to read back to us
(sticker on the outside of the equipment) for troubleshooting when
checking to make sure their machine is entered properly in the database.
Example table layout:
mac_table
##
# key_id # mac_address # machine_name # asset_id #
##
(Sorry for the layout, I couldn't remember exactly how SQL diagrams are
usually done and couldn't find a quick example.)
Does this seem to make the most sense or would there be a better table
design that would be more efficient? Granted, the only thing in the table
that will be regularly accessed will be the MAC address, the rest is just
for making maintaining the addresses easier and will only be accessed when
adding/removing/making sure MAC was entered correctly.
Thanks for your patience and help.
Sincerely,
--
John McDonnell
Penn Cambria School District
mcdon...@pcam.org
O< ASCII Ribbon Campaign - www.asciiribbon.org
smime.p7s
Description: S/MIME cryptographic signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User + Password + AMC address group authentication
Aaron Jansen wrote:
> For a user FreeRADIUS should check the user name, password, and the MAC
> address. The MAC address can be one of many in a list stored in a
> database. So, this is not about a single user logging in on only one
> device.
>
> I have taken a look at the rad(group)check table, but it seems that ALL
> attributes should check out alright for the user to be authenticated.
> So, I cannot just simply add a list of all possible user/MAC
> combinations.
The existing tables are for specific purposes. If you need something
else, don't use them.
> How can I best achieve this? Any help would be appreciated.
Create a table just for MAC addresses. Then, do:
authorize {
...
if ("%{sql:SELECT mac FROM mac_table WHERE...}") {
# mac is known
}
else {
# mac is unknown
}
...
}
Run the SQL select by hand until you get it working, and then add it
to the configuration file.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User + Password + AMC address group authentication
Dear all, I would like to do the following: For a user FreeRADIUS should check the user name, password, and the MAC address. The MAC address can be one of many in a list stored in a database. So, this is not about a single user logging in on only one device. I have taken a look at the rad(group)check table, but it seems that ALL attributes should check out alright for the user to be authenticated. So, I cannot just simply add a list of all possible user/MAC combinations. How can I best achieve this? Any help would be appreciated. Best regards, Aaeron Jansen - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Group Authentication
I have compiled FreeRADIUS 2.1.8 on a fresh Ubuntu 9.10 install. I am using
Microsoft SQL Server as a backend. I have installed and successfully
configured UnixODBC and FreeTDS to get FreeRADIUS to communicate with the
server. FreeRADIUS will authenticate users correctly from the radcheck and
radreply tables. However, I am also trying to get it to return attributes
based on their group assignment. I have uncommented the 'read_groups = yes'
directive and also put a 'Fall-Through = yes' into the radreply table, and
FreeRADIUS still will not check the group assignments. I am at a loss here
as I have tried to get this working for almost a week now. Any help would
be greatly appreciated! Below is the output of my radiusd -X.
FreeRADIUS Version 2.1.8, for host i686-pc-linux-gnu, built on Mar 19 2010
at 16:33:42
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file
/usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/sql.conf
including configuration file /usr/local/etc/raddb/sql/mssql/dialup.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file
/usr/local/etc/raddb/sites-enabled/control-socket
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/loc
Re: Different LDAP group authentication with different IPs
Search and you shall recieve http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html That's how I it, and until anyone finds a better way... On Thu, Feb 25, 2010 at 11:11 PM, Stephon Chen wrote: > Hello all > > I want to run only one radiusd (no virtual server) to support my scenario, > and it is like below: > > From IP x.x.x.1 -> Only Allow LDAP Group A to access > >From IP x.x.x.2 -> Only Allow LDAP Group B to access > > from the doc/ldap_howto.txt, it seems not working > > I've found in mailing lists, and the proper solution is to use huntgroups > and users file. > But in freeradius 2.1.x, it's not recommended to use users to do so... > > Is there any good solution for this sceranio? > > Thanks a lot > > stephon > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different LDAP group authentication with different IPs
Hello all I want to run only one radiusd (no virtual server) to support my scenario, and it is like below: >From IP x.x.x.1 -> Only Allow LDAP Group A to access >From IP x.x.x.2 -> Only Allow LDAP Group B to access from the doc/ldap_howto.txt, it seems not working I've found in mailing lists, and the proper solution is to use huntgroups and users file. But in freeradius 2.1.x, it's not recommended to use users to do so... Is there any good solution for this sceranio? Thanks a lot stephon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unix group authentication
Shawn Storey wrote: > I have compiled and installed successfully FreeRADIUS2.0.3 on Debian > (had to add a trailer to debian/changelog after the 2.0.3 section) and > have setup EAP-TTLS for authenticating wireless users to UNIX accounts. > What I would like to do is have FreeRADIUS check if the user is a member > of the UNIX group "wireless" that I created and only allow members of > that group to authenticate. Is this possible, and if so how? Something similar is in the FAQ. Put this at the top of the "users" file: DEFAULT Group != Wireless, Auth-Type := Reject That's it. > We are > planning to migrate all of our servers to OpenLDAP in the summer, which > we have tested successfully, but I was hoping to get FreeRADIUS to do > this in the meantime. You can't ask for much better than a 1-line change to a configuration file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unix group authentication
Hello, I have compiled and installed successfully FreeRADIUS2.0.3 on Debian (had to add a trailer to debian/changelog after the 2.0.3 section) and have setup EAP-TTLS for authenticating wireless users to UNIX accounts. What I would like to do is have FreeRADIUS check if the user is a member of the UNIX group "wireless" that I created and only allow members of that group to authenticate. Is this possible, and if so how? We are planning to migrate all of our servers to OpenLDAP in the summer, which we have tested successfully, but I was hoping to get FreeRADIUS to do this in the meantime. Thanks - Looking for the perfect gift? Give the gift of Flickr!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorization with LDAP Group, Authentication with MS AD
Hi, I am doing authentication with smb/ntlm and want additionally check if the user belongs to a special group. The first group-lookup looks good (fails, because the user is not in the group), but there is always a second one that is grants permission (wrong!): rlm_ldap: user xxx authorized to use remote access What can be the reason for this? Dietmar rlm_ldap: Bind was successful rlm_ldap: performing search in dc=..., with filter (sAMAccountName=xxx) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=CN=)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=G_wlan-data,ou=Groups,dc=...))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in CN=xxx,OU=..., with filter (objectclass=*) rlm_ldap::ldap_groupcmp: ldap_get_values() failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for xxx radius_xlat: '(sAMAccountName=xxx)' radius_xlat: 'dc=.' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=..., with filter (sAMAccountName=xxx) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user xxx authorized to use remote access <--- WHY?! rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is this "group authentication"?
Gary Algier <[EMAIL PROTECTED]> wrote: > Problem solved. Here was what I finally googled on: > rlm_eap_peap: Received EAP-TLV response. That's just an informative message, and isn't the cause of the problem. > I could not find any mention of "eap-tlv" in any config files > or doc files, but in the mailing list someone else had this problem > and the answer to them was to configure "mschap". I had it configured, > but apparently not correctly. While the debug log you posted to the list was large, this information *was* in there. The MSCHAP module said authentication failed, and suggested a possible way to fix it. > and it worked. Perhaps it was the "with_ntdomain_hack". Which is what the mschap module suggested in the debug log. I understand the debug log is large and complicated, but the answers *are* in there most of the time. All it takes is patience to read 5-10 pages of gobbley-gook. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is this "group authentication"?
Gary Algier wrote:
Alan DeKok wrote:
Gary Algier <[EMAIL PROTECTED]> wrote:
I am trying to use the WinXP supplied supplicant and I am getting:
modcall: group authenticate returns invalid for request 41
Can someone give me a hint as to what this means?
Problem solved. Here was what I finally googled on:
rlm_eap_peap: Received EAP-TLV response.
I could not find any mention of "eap-tlv" in any config files
or doc files, but in the mailing list someone else had this problem
and the answer to them was to configure "mschap". I had it configured,
but apparently not correctly. I set it thus (thanks to
[EMAIL PROTECTED] for the example):
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
}
and it worked. Perhaps it was the "with_ntdomain_hack". I had NOT
set it because somewhere else it said:
# This configuration entry SHOULD NOT be used.
and I misinterpreted it as a global statement.
Also thanks to [EMAIL PROTECTED] for the note about needing the
KB885453 Hotfix.
Thanks to everyone for their patience.
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: What is this "group authentication"?
Alan DeKok wrote: Gary Algier <[EMAIL PROTECTED]> wrote: I am trying to use the WinXP supplied supplicant and I am getting: modcall: group authenticate returns invalid for request 41 Can someone give me a hint as to what this means? Read the *rest* of the debug log above that to see what's going on. I did and it I did not understand it (see below for the log). I thought that perhaps there was some sort of groups I needed to setup. When I use the WinXP bulitin supplicant in "Automatically use my Windows login..." mode, Freeradius fails with the group authentication message. It's not "group authentication", it's the "authentication" section of "radiusd.conf". If I uncheck that and type a login and password (but not a domain), it works fine. It never does any sort of group check. If I supply a domain, it does the group check (and fails). When does it check groups? What is it checking? Read the *rest* of the debug log. Here's the logs (when is fails with a domain supplied): --- Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/ulcmit/raddb/clients.conf Config: including file: /etc/ulcmit/raddb/snmp.conf Config: including file: /etc/ulcmit/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "clear" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded Pam pam: pam_auth = "radiusd" Module: Instantiated pam (pam) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "mschapv2" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/ulcmit/raddb/certs/pyrope.ulticom.com.key" tls: certificate_file = "/etc/ulcmit/raddb/certs/pyrope.ulticom.com.crt" tls: CA_file = "/etc/ulcmit/raddb/certs/ca.pem" tls: private_key_password = "(null)" tls: dh_file = "/etc/ulcmit/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded
Re: What is this "group authentication"?
Gary Algier <[EMAIL PROTECTED]> wrote: > I am trying to use the WinXP supplied supplicant and I am getting: > modcall: group authenticate returns invalid for request 41 > > Can someone give me a hint as to what this means? Read the *rest* of the debug log above that to see what's going on. > When I use the WinXP bulitin supplicant in "Automatically use my > Windows login..." mode, Freeradius fails with the group > authentication message. It's not "group authentication", it's the "authentication" section of "radiusd.conf". > If I uncheck that and type a login > and password (but not a domain), it works fine. It never does > any sort of group check. If I supply a domain, it does the group > check (and fails). When does it check groups? What is it > checking? Read the *rest* of the debug log. If all you do is look at the last line or two, you're guaranteed to not see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What is this "group authentication"?
Hi:
I am trying to use the WinXP supplied supplicant and I am getting:
modcall: group authenticate returns invalid for request 41
Can someone give me a hint as to what this means?
When I use the WinXP bulitin supplicant in "Automatically use my
Windows login..." mode, Freeradius fails with the group
authentication message. If I uncheck that and type a login
and password (but not a domain), it works fine. It never does
any sort of group check. If I supply a domain, it does the group
check (and fails). When does it check groups? What is it
checking?
I am using Freeradius 1.0.5, Sun's DS (with Samba attributes loaded),
and WinXP SP2.
BTW: I am stripping the hostname when doing the user lookups in LDAP
using this:
filter = "(&(objectclass=person)(uid=%{exec:/etc/ulcmit/raddb/nodomain
%{User-Name}}))"
where "nodomain" strips the domain portion. My LDAP lookups work fine.
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Group Authentication
I do know it's possible, but I can't find any documentation on how to implement this. I've been told to use the format unix-group == pppusers Auth-Type := System Fall-Through = Yes unix-group == pppusers Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Idle-Timeout = 600, Session-Timeout = 28800, Port-Limit = 1 Where I'm replacing the current setting of DEFAULT with unix-group == pppusers, but when I do this, radiusd will not start. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Milver S. NisaySent: Friday, July 30, 2004 11:29 AMTo: [EMAIL PROTECTED]Subject: Re: Group Authentication I am attempting to use unix-group authentication. I have the System authentication working for all users, but I want only one specific group to be allowed. if your question if it is possible, the answer would be YES. .//milver --Incoming mail is certified Virus Free.Checked by AVG Anti-Virus (http://www.grisoft.com).Version: 7.0.261 / Virus Database: 263.4.9 - Release Date: 7/26/2004 -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.261 / Virus Database: 263.4.9 - Release Date: 7/26/2004
Re: Group Authentication
I am attempting to use unix-group authentication. I have the System authentication working for all users, but I want only one specific group to be allowed. if your question if it is possible, the answer would be YES. .//milver
RE: Group Authentication
I am trying to achieve the same thing. Can this be achieved on the radius server setup or is it possible to force the devices to use a specific group in their radius configuration? Thanks in advance Ryan -Original Message-From: Jody L. Whitlock [mailto:[EMAIL PROTECTED]Sent: 30 July 2004 15:47To: [EMAIL PROTECTED]Subject: Group Authentication I am attempting to use unix-group authentication. I have the System authentication working for all users, but I want only one specific group to be allowed. Thank You --Outgoing mail is certified Virus Free.Checked by AVG Anti-Virus (http://www.grisoft.com).Version: 7.0.261 / Virus Database: 263.4.9 - Release Date: 7/26/2004
Group Authentication
I am attempting to use unix-group authentication. I have the System authentication working for all users, but I want only one specific group to be allowed. Thank You -- Outgoing mail is certified Virus Free. Checked by AVG Anti-Virus (http://www.grisoft.com). Version: 7.0.261 / Virus Database: 263.4.9 - Release Date: 7/26/2004
RE: Active Directory Group Authentication
ot;password" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1812 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "chap" returns noop > rlm_ldap: - authorize > rlm_ldap: performing user authorization for dpatest > radius_xlat: '(sAMAccountName=dpatest)' > radius_xlat: 'DC=,DC=XX,DC=com' > ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to mydc.X.com:389, authentication 0 > rlm_ldap: bind as CN=freeradius,CN=Users,DC=XXX,DC=XXX,DC=/X to > mydc.X.com:389 > rlm_ldap: waiting for bind result ... > request 1 done > rlm_ldap: performing search in DC=,DC=,DC=com, with filter > (sAMAccountName=dpatest) > request 2 done > rlm_ldap: performing search in DC=,DC=X,DC=com, with filter > (objectclass=radiusprofile) > request 3 done > rlm_ldap: object not found or got ambiguous search result > rlm_ldap: default_profile/user-profile search failed > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user dpatest authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group Auth-Type > rlm_ldap: - authenticate > rlm_ldap: login attempt by "dpatest" with password "password" > rlm_ldap: user DN: CN=dpatest,CN=Users,DC=X,DC=X,DC=com > rlm_ldap: (re)connect to mydc.X.com:389, authentication 1 > rlm_ldap: bind as CN=dpatest,CN=Users,DC=X,DC=X,DC=com/password to > mydc..com:389 > rlm_ldap: waiting for bind result ... > request 1 done > rlm_ldap: user dpatest authenticated succesfully > modcall[authenticate]: module "ldap" returns ok > modcall: group Auth-Type returns ok > Sending Access-Accept of id 9 to 127.0.0.1:43633 > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > > [EMAIL PROTECTED] root]# > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf > > Of Dustin > > Doris > > Sent: Thursday, March 11, 2004 12:00 PM > > To: '[EMAIL PROTECTED]' > > Subject: Re: Active Directory Group Authentication > > > > > > On Thu, 11 Mar 2004, Albers Darren wrote: > > > > > Hello all, > > > > > > I am attempting to use FreeRadius to authenticate based on > > a group in active > > > directory. I have it performing authentication using LDAP against > > > Active-Directory fine, but I would like to restrict it > > based on group > > > membership. From what I can determine I should use the > > users file to enable > > > group authentication but I don't seem to have that done correctly. > > > > > > After reading the archives I read a great page: > > http://doris.name/radius/ > > > that I think explains how to do what I want to do but > > whenever I add the > > > following to users: > > > DEFAULT Ldap-Group == My_group, Auth-Type := reject > > > Reply-Message = "Account disabled. Please call the > > helpdesk." > > > > > > it doesn't seem to matter who logs in, as long as they have > > a valid Active > > > Directory account and the password is the correct they are > > allowed in. > > > After searching through the archives again I still am at a > > loss, I am > > > obviously missing something but I am not sure what. Can > > someone point me in > > > the right direction? > > > > > > Thank you! > > > > > > Darren > > > > > > > How do you have the groupmembership part of ldap in > > radiusd.conf setup? > > > > Also, can you post an example radiusd -X output? > > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > ** > The information and any files contained in this e-mail message are property of > WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended only for > use of the individual or entity named above. If the reader of this message is not > the intended recipient, or the employee or agent responsible to deliver it to the > intended recipient, you hereby are notified that use, dissemination, distribution or > copying of this information is strictly prohibited. If you have received this > communication in error, please immediately notify us by return e-mail and destroy > the original message. Thank you. > ** > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory Group Authentication
t; 1814/udp. > Ready to process requests. > rad_recv: Access-Request packet from host 127.0.0.1:43633, id=9, length=59 > User-Name = "dpatest" > User-Password = "password" > NAS-IP-Address = 255.255.255.255 > NAS-Port = 1812 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "chap" returns noop > rlm_ldap: - authorize > rlm_ldap: performing user authorization for dpatest > radius_xlat: '(sAMAccountName=dpatest)' > radius_xlat: 'DC=,DC=XX,DC=com' > ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to mydc.X.com:389, authentication 0 > rlm_ldap: bind as CN=freeradius,CN=Users,DC=XXX,DC=XXX,DC=/X to > mydc.X.com:389 > rlm_ldap: waiting for bind result ... > request 1 done > rlm_ldap: performing search in DC=,DC=,DC=com, with filter > (sAMAccountName=dpatest) > request 2 done > rlm_ldap: performing search in DC=,DC=X,DC=com, with filter > (objectclass=radiusprofile) > request 3 done > rlm_ldap: object not found or got ambiguous search result > rlm_ldap: default_profile/user-profile search failed > rlm_ldap: looking for check items in directory... > rlm_ldap: looking for reply items in directory... > rlm_ldap: user dpatest authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group Auth-Type > rlm_ldap: - authenticate > rlm_ldap: login attempt by "dpatest" with password "password" > rlm_ldap: user DN: CN=dpatest,CN=Users,DC=X,DC=X,DC=com > rlm_ldap: (re)connect to mydc.X.com:389, authentication 1 > rlm_ldap: bind as CN=dpatest,CN=Users,DC=X,DC=X,DC=com/password to > mydc..com:389 > rlm_ldap: waiting for bind result ... > request 1 done > rlm_ldap: user dpatest authenticated succesfully > modcall[authenticate]: module "ldap" returns ok > modcall: group Auth-Type returns ok > Sending Access-Accept of id 9 to 127.0.0.1:43633 > Finished request 0 > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > > [EMAIL PROTECTED] root]# > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf > > Of Dustin > > Doris > > Sent: Thursday, March 11, 2004 12:00 PM > > To: '[EMAIL PROTECTED]' > > Subject: Re: Active Directory Group Authentication > > > > > > On Thu, 11 Mar 2004, Albers Darren wrote: > > > > > Hello all, > > > > > > I am attempting to use FreeRadius to authenticate based on > > a group in active > > > directory. I have it performing authentication using LDAP against > > > Active-Directory fine, but I would like to restrict it > > based on group > > > membership. From what I can determine I should use the > > users file to enable > > > group authentication but I don't seem to have that done correctly. > > > > > > After reading the archives I read a great page: > > http://doris.name/radius/ > > > that I think explains how to do what I want to do but > > whenever I add the > > > following to users: > > > DEFAULT Ldap-Group == My_group, Auth-Type := reject > > > Reply-Message = "Account disabled. Please call the > > helpdesk." > > > > > > it doesn't seem to matter who logs in, as long as they have > > a valid Active > > > Directory account and the password is the correct they are > > allowed in. > > > After searching through the archives again I still am at a > > loss, I am > > > obviously missing something but I am not sure what. Can > > someone point me in > > > the right direction? > > > > > > Thank you! > > > > > > Darren > > > > > > > How do you have the groupmembership part of ldap in > > radiusd.conf setup? > > > > Also, can you post an example radiusd -X output? > > > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > ** > The information and any files contained in this e-mail message are property of > WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended only for > use of the individual or entity named above. If the reader of this message is not > the intended recipient, or the employee or agent responsible to deliver it to the > intended recipient, you hereby are notified that use, dissemination, distribution or > copying of this information is strictly prohibited. If you have received this > communication in error, please immediately notify us by return e-mail and destroy > the original message. Thank you. > ** > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory Group Authentication
access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group Auth-Type rlm_ldap: - authenticate rlm_ldap: login attempt by "dpatest" with password "password" rlm_ldap: user DN: CN=dpatest,CN=Users,DC=X,DC=X,DC=com rlm_ldap: (re)connect to mydc.X.com:389, authentication 1 rlm_ldap: bind as CN=dpatest,CN=Users,DC=X,DC=X,DC=com/password to mydc..com:389 rlm_ldap: waiting for bind result ... request 1 done rlm_ldap: user dpatest authenticated succesfully modcall[authenticate]: module "ldap" returns ok modcall: group Auth-Type returns ok Sending Access-Accept of id 9 to 127.0.0.1:43633 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... [EMAIL PROTECTED] root]# > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf > Of Dustin > Doris > Sent: Thursday, March 11, 2004 12:00 PM > To: '[EMAIL PROTECTED]' > Subject: Re: Active Directory Group Authentication > > > On Thu, 11 Mar 2004, Albers Darren wrote: > > > Hello all, > > > > I am attempting to use FreeRadius to authenticate based on > a group in active > > directory. I have it performing authentication using LDAP against > > Active-Directory fine, but I would like to restrict it > based on group > > membership. From what I can determine I should use the > users file to enable > > group authentication but I don't seem to have that done correctly. > > > > After reading the archives I read a great page: > http://doris.name/radius/ > > that I think explains how to do what I want to do but > whenever I add the > > following to users: > > DEFAULT Ldap-Group == My_group, Auth-Type := reject > > Reply-Message = "Account disabled. Please call the > helpdesk." > > > > it doesn't seem to matter who logs in, as long as they have > a valid Active > > Directory account and the password is the correct they are > allowed in. > > After searching through the archives again I still am at a > loss, I am > > obviously missing something but I am not sure what. Can > someone point me in > > the right direction? > > > > Thank you! > > > > Darren > > > > How do you have the groupmembership part of ldap in > radiusd.conf setup? > > Also, can you post an example radiusd -X output? > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ** The information and any files contained in this e-mail message are property of WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you hereby are notified that use, dissemination, distribution or copying of this information is strictly prohibited. If you have received this communication in error, please immediately notify us by return e-mail and destroy the original message. Thank you. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory Group Authentication
On Thu, 11 Mar 2004, Albers Darren wrote: > Hello all, > > I am attempting to use FreeRadius to authenticate based on a group in active > directory. I have it performing authentication using LDAP against > Active-Directory fine, but I would like to restrict it based on group > membership. From what I can determine I should use the users file to enable > group authentication but I don't seem to have that done correctly. > > After reading the archives I read a great page: http://doris.name/radius/ > that I think explains how to do what I want to do but whenever I add the > following to users: > DEFAULT Ldap-Group == My_group, Auth-Type := reject > Reply-Message = "Account disabled. Please call the helpdesk." > > it doesn't seem to matter who logs in, as long as they have a valid Active > Directory account and the password is the correct they are allowed in. > After searching through the archives again I still am at a loss, I am > obviously missing something but I am not sure what. Can someone point me in > the right direction? > > Thank you! > > Darren > How do you have the groupmembership part of ldap in radiusd.conf setup? Also, can you post an example radiusd -X output? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory Group Authentication
Hello all, I am attempting to use FreeRadius to authenticate based on a group in active directory. I have it performing authentication using LDAP against Active-Directory fine, but I would like to restrict it based on group membership. From what I can determine I should use the users file to enable group authentication but I don't seem to have that done correctly. After reading the archives I read a great page: http://doris.name/radius/ that I think explains how to do what I want to do but whenever I add the following to users: DEFAULT Ldap-Group == My_group, Auth-Type := reject Reply-Message = "Account disabled. Please call the helpdesk." it doesn't seem to matter who logs in, as long as they have a valid Active Directory account and the password is the correct they are allowed in. After searching through the archives again I still am at a loss, I am obviously missing something but I am not sure what. Can someone point me in the right direction? Thank you! Darren ** The information and any files contained in this e-mail message are property of WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you hereby are notified that use, dissemination, distribution or copying of this information is strictly prohibited. If you have received this communication in error, please immediately notify us by return e-mail and destroy the original message. Thank you. ** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
