Re: No Auth in Debian Lenny
On Mon, Apr 19, 2010 at 05:10:09PM -0500, Jonathan Hutchins wrote:
On Monday 19 April 2010 04:33:25 pm Josip Rodin wrote:
The suffix module didn't recognize \ as a delimiter. You probably need to
tell it explicitly to do that. To add your own module instance, just add a
new file in /etc/freeradius/modules/. (There is no available/enabled
mechanism for modules, yet.)
(One would think the mschap module would do this.) Which file currently
specifies how the username is parsed (as an example for building my own
file)? When I used the format from the 1.x configuration I got similar
results.
Backtracking a little now... the default config file
/etc/freeradius/modules/realm says:
realm ntdomain {
format = prefix
delimiter = \\
}
That means that you already have this configured, but you're not calling it.
One of your virtual host's authorize section calls 'suffix' (evidenced by
the log). Find that and simply replace it with 'ntdomain'.
--
2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Auth in Debian Lenny
Jonathan Hutchins wrote: Wow, much more complex than the existing external documentation suggests. (1) Read http://freeradius.org/doc/ Most external documentation is wrong. (2) The *default install* sets up those files correctly. The only reason for not having those files is you did something unusual. Is there any documentation of all the steps necessary to do a PPTP authorization for Windows clients? Read the NAS documentation to see what it requires in an Access-Accept. Then, configure FreeRADIUS to send those attributes. See man users and man unlang for how to send back attributes. There are TONS of examples. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Auth in Debian Lenny
Thanks for your replies and help. On Saturday 17 April 2010 01:51:22 am Alan DeKok wrote: (1) Read http://freeradius.org/doc/ Most external documentation is wrong. This is the documentation I was working from: http://wiki.freeradius.org/PopTop Not external after all. Now that the FAQ is fixed it's a bit easier to get information. Yes, the main documentation is thorough, but while it specifies all off the possible options and configurations, it's a bit difficult to winnow down to a specific, simple example. Read the NAS documentation to see what it requires in an Access-Accept. Then, configure FreeRADIUS to send those attributes. NAS configuration is a perfect example. It wasn't necessary to worry about it in the 1.x configuration (for poptop at least), and it's not clear to me what mechanism 1.x actually used. I don't actually run a mechanism intended for Network Authentication on my single-server network. Do I need to worry about PAM or Samba as login servers? Do I need to worry that the Samba configuration has changed from smbpasswd to tdbsam? It looks to me like whatever the NAS configuration should be, it's working, with the minor detail of parsing the domain or realm from the username. The current documentation is an excellent reference for the experienced expert in FreeRADIUS. It is not so useful as an introduction to someone merely trying to accomplish a simple task. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Auth in Debian Lenny
Jonathan Hutchins wrote: This is the documentation I was working from: http://wiki.freeradius.org/PopTop Not external after all. And not wrong, either. Yes, the main documentation is thorough, but while it specifies all off the possible options and configurations, it's a bit difficult to winnow down to a specific, simple example. The configuration files come with many, many, examples. As does the documentation (doc/ directory, FAQ, Wiki...) Perhaps there is another place where we could add examples? NAS configuration is a perfect example. It wasn't necessary to worry about it in the 1.x configuration (for poptop at least), Because the NAS accepted the standard attributes. Not all NASes do. and it's not clear to me what mechanism 1.x actually used. That's the real problem. If you don't understand the 1.x config, then 2.x (which is slightly more complicated) will be a mystery. I don't actually run a mechanism intended for Network Authentication on my single-server network. Do I need to worry about PAM or Samba as login servers? Do I need to worry that the Samba configuration has changed from smbpasswd to tdbsam? Does that have any affect on the RADIUS packets? It looks to me like whatever the NAS configuration should be, it's working, with the minor detail of parsing the domain or realm from the username. The current documentation is an excellent reference for the experienced expert in FreeRADIUS. It is not so useful as an introduction to someone merely trying to accomplish a simple task. Like configuring attributes that go in the Access-Accept? What part of the users file is hard to understand? The format and behavior hasn't really changed in *15 years*. There are literally dozens of examples in the users file, and hundreds more on the web. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Auth in Debian Lenny
On Sunday 18 April 2010 05:38:23 am Josip Rodin wrote: You haven't enabled anything in /etc/freeradius/sites-enabled/ which means the server isn't told what to actually *do* with the modules and clients :) You need to find one of the default virtual host configs in /etc/freeradius/sites-available/ that suits you, and then symlink it into the ...-enabled directory. You can also copy it into a new file and symlink/enable that. Also make sure the right autorization sections within the virtual host reference the mppe module if you need it. Wow, much more complex than the existing external documentation suggests. Is there any documentation of all the steps necessary to do a PPTP authorization for Windows clients? (I realize that if one understood all of the things freeradius was capable of and all of the steps that it went through to perform such an authorization, the documentation in the files would be sufficient, but I lack such expertise.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Auth in Debian Lenny
I enabled the default site example from sites-available, now I'm back to seeing errors trying to parse the realm or NT domain from DOMAIN\\user. Log attached. Really appreciate the help with this. frdebug.tgz Description: application/tgz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Auth in Debian Lenny
On Mon, Apr 19, 2010 at 02:55:21PM -0500, Jonathan Hutchins wrote: I enabled the default site example from sites-available, now I'm back to seeing errors trying to parse the realm or NT domain from DOMAIN\\user. Log attached. Really appreciate the help with this. You don't need to tar and gzip a single 12 KB file. Just attach the text :) The suffix module didn't recognize \ as a delimiter. You probably need to tell it explicitly to do that. To add your own module instance, just add a new file in /etc/freeradius/modules/. (There is no available/enabled mechanism for modules, yet.) As for mschap, I don't know much about so I'm useless for that. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Auth in Debian Lenny
On Monday 19 April 2010 04:33:25 pm Josip Rodin wrote: The suffix module didn't recognize \ as a delimiter. You probably need to tell it explicitly to do that. To add your own module instance, just add a new file in /etc/freeradius/modules/. (There is no available/enabled mechanism for modules, yet.) (One would think the mschap module would do this.) Which file currently specifies how the username is parsed (as an example for building my own file)? When I used the format from the 1.x configuration I got similar results. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Auth in Debian Lenny
On Sat, Apr 17, 2010 at 11:14:59AM -0500, Jonathan Hutchins wrote: On Saturday 17 April 2010 01:51:22 am Alan DeKok wrote: Post the debug log, as suggested in the FAQ, README, INSTALL, man page, and daily on this list. Attached. Are there any issues with freeradius and samba's tdbsam password backend? Basically I've added the client to the clients file and turned on mppe, that's about the extent of the configuration. You haven't enabled anything in /etc/freeradius/sites-enabled/ which means the server isn't told what to actually *do* with the modules and clients :) You need to find one of the default virtual host configs in /etc/freeradius/sites-available/ that suits you, and then symlink it into the ...-enabled directory. You can also copy it into a new file and symlink/enable that. Also make sure the right autorization sections within the virtual host reference the mppe module if you need it. -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Auth in Debian Lenny
Jonathan Hutchins wrote: I've followed the various howtos to no avail. Read http://freeradius.org/doc/ Most of those how-to's are wrong. Currently running 2.1.8 from Debian Lenny Backports it says No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. It is showing the username as NTDOMAIN\\username. Post the debug log, as suggested in the FAQ, README, INSTALL, man page, and daily on this list. Honestly, there's no excuse for not doing that. On 2.0.4 it was having trouble parsing the realm from the address, but I can't find where realm strings are configured in the current version, and it's not saying anything about the realm in the debug. How about grep? Or read the debug output. Look for the word realm. $ grep realm raddb/* I do get a session debug, which makes me think the problem is not with the client config but with the freeradius server. I have no idea what that means. Debian has split the configuration for mppe into a file in the modules directory, and I have enabled mppe there. That has nothing to do with realms. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Auth in Debian Lenny
On Saturday 17 April 2010 01:51:22 am Alan DeKok wrote: Post the debug log, as suggested in the FAQ, README, INSTALL, man page, and daily on this list. Attached. Are there any issues with freeradius and samba's tdbsam password backend? Basically I've added the client to the clients file and turned on mppe, that's about the extent of the configuration. frdebug.tgz Description: application/tgz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: No Auth in Debian Lenny
On Saturday 17 April 2010 01:51:22 am Alan DeKok wrote: Post the debug log, as suggested in the FAQ, README, INSTALL, man page, and daily on this list. BTW the FAQ is currently a dead link. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No Auth in Debian Lenny
I'm having trouble getting freeradius to auth for PPTPD and Windows clients. The Client was configured to auth to a previous Gentoo server, and was working fine. My test PPTP client is actually a linux box, but configured to connect to the PPTPD server as a windows client, other Windows clients could connect to the previous configuration. I've followed the various howtos to no avail. Currently running 2.1.8 from Debian Lenny Backports it says No authenticate method (Auth-Type) configuration found for the request: Rejecting the user. It is showing the username as NTDOMAIN\\username. On 2.0.4 it was having trouble parsing the realm from the address, but I can't find where realm strings are configured in the current version, and it's not saying anything about the realm in the debug. I do get a session debug, which makes me think the problem is not with the client config but with the freeradius server. Debian has split the configuration for mppe into a file in the modules directory, and I have enabled mppe there. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
