RE: Active Directory and FreeRadius
Well I can use pam_krb5, but what I am trying to accomplish here is that I have quite a few Linux workstation on my network and I thought if I can setup those Linux workstation to point to the radius server where they login using there Active Directory credentials. So I am not sure if this can be done or not? But would like hear if anybody who has done something similar to what I am doing. Thanks, -Original Message- From: Alan DeKok [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 13, 2005 2:58 PM To: FreeRadius users mailing list Subject: Re: Active Directory and FreeRadius Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: I was able to auth against AD by setting up KRB5 on RHEL. Now I would like to setup freeradius where I will have bunch of UNIX workstation that will point to the freeradius server using pam_radius_auth module and will auth against radius server using their AD credentials. Why not just use pam_krb5? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory and FreeRadius
Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Well I can use pam_krb5, but what I am trying to accomplish here is that I have quite a few Linux workstation on my network and I thought if I can setup those Linux workstation to point to the radius server where they login using there Active Directory credentials. You said that already. What you may not know is that AD implements Kerberos. You can use pam_krb5 on the Linux boxes to do *exactly* the same thing, but without using RADIUS at all. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory and FreeRadius
I'd recommend skipping PAM and using MIT's kerberized telnet. I don't believe PAM supports single signon, whereas you can have single sign-on with kerberized telnet. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Thursday, July 14, 2005 11:39 AM To: FreeRadius users mailing list Subject: Re: Active Directory and FreeRadius Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: Well I can use pam_krb5, but what I am trying to accomplish here is that I have quite a few Linux workstation on my network and I thought if I can setup those Linux workstation to point to the radius server where they login using there Active Directory credentials. You said that already. What you may not know is that AD implements Kerberos. You can use pam_krb5 on the Linux boxes to do *exactly* the same thing, but without using RADIUS at all. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory and FreeRadius
Radius is not realy apropriate personaly id take a look at http://www.wlug.org.nz/ActiveDirectorySamba and http://mirrors.techiesabode.com/linuxgazette/101/levkovich.html Well I can use pam_krb5, but what I am trying to accomplish here is that I have quite a few Linux workstation on my network and I thought if I can setup those Linux workstation to point to the radius server where they login using there Active Directory credentials. So I am not sure if this can be done or not? But would like hear if anybody who has done something similar to what I am doing. Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory and FreeRadius
Talwar, Puneet (NIH/NIAID) [EMAIL PROTECTED] wrote: I was able to auth against AD by setting up KRB5 on RHEL. Now I would like to setup freeradius where I will have bunch of UNIX workstation that will point to the freeradius server using pam_radius_auth module and will auth against radius server using their AD credentials. Why not just use pam_krb5? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory and FreeRadius
Thanks for the quick response, Dustin.
Here are entries from my users file (I removed the comments for easy
reading):
testAuth-Type := Local, User-Password == testing
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 43.191.104.146,
Framed-IP-Netmask = 255.255.252.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = std.ppp,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
DEFAULT Auth-Type = System
Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == CSLIP
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == SLIP
Framed-Protocol = SLIP
/etc/raddb/radiusd.conf (authenticate section)
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
I had a hunch I might be missing something in the users filedid I
mention this is my first foray into radius?
Thanks in advance for any assistance,
~Brandon
-Original Message-
From: Dustin Doris [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 25, 2005 6:53 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: Active Directory and FreeRadius
Hello all,
I am trying to configure FreeRadius to auth against Active
Directory. I was wondering if anyone on the list has done this
successfully.
I thought the best way to go was to connect to A.D. as if it was an LDAP
server, (please let me know if there is a better way).
Any tips or docs would be greatly appreciated.
Before anyone asks.I would love to use OpenLDAP instead, but that is
not
my karma.
I started radiusd in debug mode and here is the output I am getting:
rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112,
length=48
User-Name = deyoungb
User-Password = secret
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_realm: No '@' in User-Name = deyoungb, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for deyoungb
radius_xlat: '(cn=deyoungb)'
radius_xlat: 'DC=am,DC=sony,DC=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0
rlm_ldap: bind as CN=~MyAccessAccount,OU=Service
Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter
(cn=deyoungb)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user deyoungb authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
Looks good up to here, then it switches to Auth-Type of System.
rad_check_password: Found Auth-Type System
auth: type System
ERROR: Unknown value specified for Auth-Type. Cannot perform requested
action.
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112,
length=48
Sending Access-Reject of id 112 to 43.191.104.141:2611
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 112 with timestamp 41f6f231
Nothing to do. Sleeping until we see a request.
What is in your users file and the authenticate section of radiusd.conf?
Something is making it try System instead of Ldap for authentication.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory and FreeRadius
Comments below.
Thanks for the quick response, Dustin.
Here are entries from my users file (I removed the comments for easy
reading):
testAuth-Type := Local, User-Password == testing
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 43.191.104.146,
Framed-IP-Netmask = 255.255.252.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = std.ppp,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
Try taking out this entry below which is setting Auth-Type to system.
Just comment it out and then restart radius and test again.
like this:
#DEFAULT Auth-Type = System
# Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == CSLIP
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == SLIP
Framed-Protocol = SLIP
/etc/raddb/radiusd.conf (authenticate section)
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
I had a hunch I might be missing something in the users filedid I
mention this is my first foray into radius?
Thanks in advance for any assistance,
~Brandon
-Original Message-
From: Dustin Doris [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 25, 2005 6:53 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: Active Directory and FreeRadius
Hello all,
I am trying to configure FreeRadius to auth against Active
Directory. I was wondering if anyone on the list has done this
successfully.
I thought the best way to go was to connect to A.D. as if it was an LDAP
server, (please let me know if there is a better way).
Any tips or docs would be greatly appreciated.
Before anyone asks.I would love to use OpenLDAP instead, but that is
not
my karma.
I started radiusd in debug mode and here is the output I am getting:
rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112,
length=48
User-Name = deyoungb
User-Password = secret
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_realm: No '@' in User-Name = deyoungb, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for deyoungb
radius_xlat: '(cn=deyoungb)'
radius_xlat: 'DC=am,DC=sony,DC=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0
rlm_ldap: bind as CN=~MyAccessAccount,OU=Service
Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter
(cn=deyoungb)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user deyoungb authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
Looks good up to here, then it switches to Auth-Type of System.
rad_check_password: Found Auth-Type System
auth: type System
ERROR: Unknown value specified for Auth-Type. Cannot perform requested
action.
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112,
length=48
Sending Access-Reject of id 112 to 43.191.104.141:2611
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 112 with timestamp 41f6f231
Nothing to do. Sleeping until we see a request.
What is in your users file and the authenticate section of radiusd.conf?
Something is making it try System instead of Ldap for authentication.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory and FreeRadius
That worked like a charm!
Thank you ever so much,
~Brandon
-Original Message-
From: Dustin Doris [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 26, 2005 3:53 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: Active Directory and FreeRadius
Comments below.
Thanks for the quick response, Dustin.
Here are entries from my users file (I removed the comments for easy
reading):
testAuth-Type := Local, User-Password == testing
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 43.191.104.146,
Framed-IP-Netmask = 255.255.252.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = std.ppp,
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
Try taking out this entry below which is setting Auth-Type to system.
Just comment it out and then restart radius and test again.
like this:
#DEFAULT Auth-Type = System
# Fall-Through = 1
DEFAULT Service-Type == Framed-User
Framed-IP-Address = 255.255.255.254,
Framed-MTU = 576,
Service-Type = Framed-User,
Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == CSLIP
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == SLIP
Framed-Protocol = SLIP
/etc/raddb/radiusd.conf (authenticate section)
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
I had a hunch I might be missing something in the users filedid I
mention this is my first foray into radius?
Thanks in advance for any assistance,
~Brandon
-Original Message-
From: Dustin Doris [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 25, 2005 6:53 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: Active Directory and FreeRadius
Hello all,
I am trying to configure FreeRadius to auth against Active
Directory. I was wondering if anyone on the list has done this
successfully.
I thought the best way to go was to connect to A.D. as if it was an LDAP
server, (please let me know if there is a better way).
Any tips or docs would be greatly appreciated.
Before anyone asks.I would love to use OpenLDAP instead, but that is
not
my karma.
I started radiusd in debug mode and here is the output I am getting:
rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112,
length=48
User-Name = deyoungb
User-Password = secret
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
rlm_realm: No '@' in User-Name = deyoungb, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for deyoungb
radius_xlat: '(cn=deyoungb)'
radius_xlat: 'DC=am,DC=sony,DC=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0
rlm_ldap: bind as CN=~MyAccessAccount,OU=Service
Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter
(cn=deyoungb)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user deyoungb authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
Looks good up to here, then it switches to Auth-Type of System.
rad_check_password: Found Auth-Type System
auth: type System
ERROR: Unknown value specified for Auth-Type. Cannot perform
requested
action.
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112,
length=48
Sending Access-Reject of id 112 to 43.191.104.141:2611
--- Walking the entire request list ---
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 112 with timestamp 41f6f231
Nothing to do. Sleeping until we see a request.
What is in your users file and the authenticate section of radiusd.conf?
Something is making it try System instead of Ldap for authentication.
-
List info/subscribe/unsubscribe? See
http
Re: Active Directory and FreeRadius
Hello all, I am trying to configure FreeRadius to auth against Active Directory. I was wondering if anyone on the list has done this successfully. I thought the best way to go was to connect to A.D. as if it was an LDAP server, (please let me know if there is a better way). Any tips or docs would be greatly appreciated. Before anyone asks.I would love to use OpenLDAP instead, but that is not my karma. I started radiusd in debug mode and here is the output I am getting: rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 User-Name = deyoungb User-Password = secret Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: No '@' in User-Name = deyoungb, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module files returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for deyoungb radius_xlat: '(cn=deyoungb)' radius_xlat: 'DC=am,DC=sony,DC=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 43.143.144.20:389, authentication 0 rlm_ldap: bind as CN=~MyAccessAccount,OU=Service Accounts,DC=am,DC=sony,DC=com/very_secret to 43.143.144.20:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in DC=am,DC=sony,DC=com, with filter (cn=deyoungb) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user deyoungb authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall: group authorize returns ok for request 0 Looks good up to here, then it switches to Auth-Type of System. rad_check_password: Found Auth-Type System auth: type System ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 43.191.104.141:2611, id=112, length=48 Sending Access-Reject of id 112 to 43.191.104.141:2611 --- Walking the entire request list --- Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 112 with timestamp 41f6f231 Nothing to do. Sleeping until we see a request. What is in your users file and the authenticate section of radiusd.conf? Something is making it try System instead of Ldap for authentication. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
