Re: How do I set up simple AD integration?
Josh Howlett <[EMAIL PROTECTED]> wrote: > It sounds to me like you're trying to do too much at once, and too many > things are broken for you to know where to start! I really can't emphasize that enough. Many problems are caused by people trying to do everything at once. Alan DEKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert ificate A Wed Apr 12 13:21:07 2006 : Info: rlm_eap_mschapv2: Issuing Challenge Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost port 0) Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5 0.45 port 26 cli 0012f0311af1) AFAIK there is no certificate A on the client (or supplicant) so the error message is probably correct but is it a problem in security terms? The Semi-Offical answer (from Alan) is to just ignore it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I set up simple AD integration?
Burton, Steven wrote: AFAIK there is no certificate A on the client (or supplicant) so the error message is probably correct but is it a problem in security terms? No. It's an OpenSSL-ism. Ignore it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
> -Original Message- > From: > [EMAIL PROTECTED] > ists.freer > adius.org > [mailto:freeradius-users-bounces+sburton=shepherd-construction > [EMAIL PROTECTED] > ts.freeradius.org]On Behalf Of Josh Howlett > Sent: 12 April 2006 11:48 > To: FreeRadius users mailing list > Subject: Re: How do I set up simple AD integration? > > > Burton, Steven wrote: > > > >> -Original Message- > >> From: > >> [EMAIL PROTECTED] > >> ists.freer > >> adius.org > >> [mailto:freeradius-users-bounces+sburton=shepherd-construction > >> [EMAIL PROTECTED] > >> ts.freeradius.org]On Behalf Of Alan DeKok > >> Sent: 11 April 2006 16:28 > >> To: FreeRadius users mailing list > >> Subject: Re: How do I set up simple AD integration? > >> > >> > >> "Burton, Steven" <[EMAIL PROTECTED]> wrote: > >>> This stanza is a enclosed with the mschap section, still > >> nothing ventured > >>> I changed the line and unfolded it and ran radiusd -X. The first > >>> request didn't match anything usefull and was rejected by > System. I > >>> tried again but ticked the box 'CHAP' on NTRadPing and got the > >>> output: > >> You can't do CHAP to MS AD. It's impossible. > >> > >> Alan DeKok. > > > > My bad! I'd been staring at mschap all day and I saw chap > and thought mschap. > > I still hope to get 802.1x working with FR before I'm told > to stop wasting time and buy something :-) but after two and > a half days (on and off) I'm no closer. > > Steve, > > I strongly suggest you start off doing PEAP against the 'users' file, > and once that's working get the domain stuff working. > > It sounds to me like you're trying to do too much at once, > and too many > things are broken for you to know where to start! > > Once you've got PEAP working against the 'users' file, create > a machine > account in the AD for the RADIUS server (using the Samba > tools) and then > use the ntlm_auth program (that comes with Samba) to test standard > authentication. > > Once you've got that far, it's just a matter of configuring > FreeRADIUS > to use ntlm_auth. But you can worry about that later :-) > > This isn't difficult, it's largely a matter of making sure you do the > right steps in the right order... > > best regards, josh. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > Well, IT'S WORKING!! Thank you all for your help, advice and support. Alas, I didn't backup the files last night so I'm not sure exactly what I did to make it work but I can now see it authenticating and then the connection is made. I have set it to put user names in the log and I hope to have it write accounting logs soon. More worryingly, I'm seeing this error message in radiusd.log: Wed Apr 12 13:20:48 2006 : Info: rlm_exec: Wait=yes but no output defined. Did y ou mean output=none? Wed Apr 12 13:20:48 2006 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed Apr 12 13:20:48 2006 : Info: Ready to process requests. Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert ificate A Wed Apr 12 13:21:06 2006 : Info: rlm_eap_mschapv2: Issuing Challenge Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost port 0) Wed Apr 12 13:21:06 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5 0.45 port 26 cli 0012f0311af1) Wed Apr 12 13:21:06 2006 : Error: TLS_accept:error in SSLv3 read client cert ificate A Wed Apr 12 13:21:07 2006 : Info: rlm_eap_mschapv2: Issuing Challenge Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client localhost port 0) Wed Apr 12 13:21:07 2006 : Auth: Login OK: [DOMAIN\\USERNAME] (from client 192.168.5 0.45 port 26 cli 0012f0311af1) AFAIK there is no certificate A on the client (or supplicant) so the error message is probably correct but is it a problem in security terms? __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Stephen WalshSent: 12 April 2006 14:34To: freeradius-users@lists.freeradius.orgSubject: RE: How do I set up simple AD integration? From: "Burton, Steven" <[EMAIL PROTECTED]>>I'd seen that. What I was trying to do (unsuccessfully 'cos I'm ignorant) was to try to find out what triggers ntlm_auth to run. Is there something in another file that sets this up?Your authorise and authenticate sections define what modules are called. Ergo, if you don't have a LDAP call in both, it doesn't do the authorise (can the user dial up?) or authenicate (are the credentials right). I've got a sanitised set on config I can send you, you don't need to do all that "nt_hack" skull hackery, mine is working pretty much OK out of the box with 2 config changes.Stephen Walsh __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
From: "Burton, Steven" <[EMAIL PROTECTED]>>I'd seen that. What I was trying to do (unsuccessfully 'cos I'm ignorant) was to try to find out what triggers ntlm_auth to run. Is there something in another file that sets this up?Your authorise and authenticate sections define what modules are called. Ergo, if you don't have a LDAP call in both, it doesn't do the authorise (can the user dial up?) or authenicate (are the credentials right). I've got a sanitised set on config I can send you, you don't need to do all that "nt_hack" skull hackery, mine is working pretty much OK out of the box with 2 config changes.Stephen Walsh[EMAIL PROTECTED]Client Support Officer (Technology)Australian Catholic University (Limited)PO Box 256, Dickson ACT 2602Phone: +61 2 6209 1133Fax: +61 2 6209 1179Mobile: +61 419 496796+CRICOS Registration: 4G, 00112C, 00873F, 00885B ABN 15 050 192 660 + [EMAIL PROTECTED]Sent by: [EMAIL PROTECTED] 12/04/2006 10:30 AM ZE2 Please respond to freeradius-users@lists.freeradius.org To freeradius-users@lists.freeradius.org cc bcc Subject Freeradius-Users Digest, Vol 12, Issue 49 Send Freeradius-Users mailing list submissions tofreeradius-users@lists.freeradius.orgTo subscribe or unsubscribe via the World Wide Web, visithttp://lists.freeradius.org/mailman/listinfo/freeradius-usersor, via email, send a message with subject or body 'help' to[EMAIL PROTECTED]You can reach the person managing the list at[EMAIL PROTECTED]When replying, please edit your Subject line so it is more specificthan "Re: Contents of Freeradius-Users digest..."Today's Topics: 1. group definitions in users file (ho)2. Help, Chap problem ([EMAIL PROTECTED])3. Re: group definitions in users file (Alan DeKok)4. Regarding VLAN (radhika putty)5. pam_radius_auth token user (Josh Restivo)6. RE: How do I set up simple AD integration? (Burton, Steven)7. different gateway for different users (Felice.pizzurro)8. Accessing REQUEST structure data outside FreeRADIUS module(Nicolas Castel)9. Accessing REQUEST structure data outside FreeRADIUS module (Nicolas Castel)--Message: 1Date: Tue, 11 Apr 2006 21:56:57 +0200From: "ho" <[EMAIL PROTECTED]>Subject: group definitions in users fileTo: "FreeRadius users mailing list"Message-ID: <[EMAIL PROTECTED]>Content-Type: text/plain; format=flowed; charset="iso-8859-1";reply-type=originalHi folks,my environment:I do AAA with freeradius as a radius-proxy in combination with ms-ias (onlyfor the passwords ;-) )for cisco asa 5540-box, which is similar to a ciscopix firewall.in the future we have many, many entries for users with the sameCisco-AVPairsUSER1 Proxy-To-Realm := IASService-Type = Framed-User,Framed-Protocoll = PPP,Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq domain",Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq domain",Cisco-AVPair += "ip:inacl# = permit tcp any host A.B.C.D eq 264",Cisco-AVPair += "ip:inacl# = permit tcp any host A.B.C.D eq 443",Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq isakmp",Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq 2746",Cisco-AVPair += "ip:inacl# = permit esp any host A.B.C.D",Cisco-AVPair += "ip:inacl# = deny tcp any any",Cisco-AVPair += "ip:inacl# = deny udp any any",Fall-Through = 0Is it possible to group the User entries and than give them the specialprofile with the AVPairs?If not, what could be another good workaround for this problem?thanksmarco--Message: 2Date: Tue, 11 Apr 2006 16:06:07 -0400From: [EMAIL PROTECTED]Subject: Help, Chap problemTo: freeradius-users@lists.freeradius.orgMessage-ID: <[EMAIL PROTECTED]>Content-Type: text/plain; charset="ISO-8859-15"Hello:I have this problem, i get this message in the log:"Tue Apr 11 14:43:18 2006 : Auth: Login incorrect (rlm_chap: Clear textpassword not available): [adexus/] (from client 3com port268443649 cli 0010-a484-6e7a)"I set the users file as follow:adexus Auth-Type := CHAP, User-Password == "adexus"i configure the windows 2000 802.1x client how:EAP type: MD5 challengeAny ideaSaludosFrancisco Lagos--Message: 3Date: Tue, 11 Apr 2006 16:46:15 -0400From: "Alan DeKok" <[EMAIL PROTECTED]>Subject: Re: group definitions in users fileTo: FreeRadius users mailing listMessage-ID: <[EMAIL PROTECTED]>"ho" <[EMAIL PROTECTED]> wrote:> Is it possible to group the User entries and than give them the special> profile with the AVPairs?Yes. You can use Unix groups for this, or create your own groups.See "man rlm_passwd" fo
Re: How do I set up simple AD integration?
Burton, Steven wrote: -Original Message- From: [EMAIL PROTECTED] ists.freer adius.org [mailto:freeradius-users-bounces+sburton=shepherd-construction [EMAIL PROTECTED] ts.freeradius.org]On Behalf Of Alan DeKok Sent: 11 April 2006 16:28 To: FreeRadius users mailing list Subject: Re: How do I set up simple AD integration? "Burton, Steven" <[EMAIL PROTECTED]> wrote: This stanza is a enclosed with the mschap section, still nothing ventured I changed the line and unfolded it and ran radiusd -X. The first request didn't match anything usefull and was rejected by System. I tried again but ticked the box 'CHAP' on NTRadPing and got the output: You can't do CHAP to MS AD. It's impossible. Alan DeKok. My bad! I'd been staring at mschap all day and I saw chap and thought mschap. I still hope to get 802.1x working with FR before I'm told to stop wasting time and buy something :-) but after two and a half days (on and off) I'm no closer. Steve, I strongly suggest you start off doing PEAP against the 'users' file, and once that's working get the domain stuff working. It sounds to me like you're trying to do too much at once, and too many things are broken for you to know where to start! Once you've got PEAP working against the 'users' file, create a machine account in the AD for the RADIUS server (using the Samba tools) and then use the ntlm_auth program (that comes with Samba) to test standard authentication. Once you've got that far, it's just a matter of configuring FreeRADIUS to use ntlm_auth. But you can worry about that later :-) This isn't difficult, it's largely a matter of making sure you do the right steps in the right order... best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
> -Original Message- > From: > [EMAIL PROTECTED] > ists.freer > adius.org > [mailto:freeradius-users-bounces+sburton=shepherd-construction > [EMAIL PROTECTED] > ts.freeradius.org]On Behalf Of Alan DeKok > Sent: 11 April 2006 16:28 > To: FreeRadius users mailing list > Subject: Re: How do I set up simple AD integration? > > > "Burton, Steven" <[EMAIL PROTECTED]> wrote: > > This stanza is a enclosed with the mschap section, still > nothing ventured > > I changed the line and unfolded it and ran radiusd -X. The first > > request didn't match anything usefull and was rejected by System. I > > tried again but ticked the box 'CHAP' on NTRadPing and got the > > output: > > You can't do CHAP to MS AD. It's impossible. > > Alan DeKok. My bad! I'd been staring at mschap all day and I saw chap and thought mschap. I still hope to get 802.1x working with FR before I'm told to stop wasting time and buy something :-) but after two and a half days (on and off) I'm no closer. Steve. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
> -Original Message- > From: Stephen Walsh [mailto:[EMAIL PROTECTED] > Sent: 12 April 2006 00:41 > To: Burton, Steven > Subject: Re: How do I set up simple AD integration? > > > > > > > Hi Steve > > I've just completed an AD implementation of FreeRadius across two AD > domains, One AD2003 in Native mode, and one AD2000 in mixed > mode. If you'd > like any hints or tips, feel free to email me and I'll do > what i can to > help. > > Stephen Walsh > [EMAIL PROTECTED] Stephen, thanks for your kind offer of help. What I'm trying to achieve is to get 802.1x authentication working with FreeRadius passing off authentication to a Win2003 (Win 2000 mixed mode, soon to be 2003 native) DC. When the user tried to connect to the network I can see his domain\username in the output of radiusd -A -X which (I think) suggests that the supplicant and client are setup correctly. There seems to be no attempt by the RADIUS server to contact a DC. I don't want to take too much of your time but would it be possible for you to send me any (suitably sanitized) configuration files you have customized ? If this is unacceptable I'll send you details of what I've done so far. Steve. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
> -Original Message- > From: > [EMAIL PROTECTED] > ists.freer > adius.org > [mailto:freeradius-users-bounces+sburton=shepherd-construction > [EMAIL PROTECTED] > ts.freeradius.org]On Behalf Of King, Michael > Sent: 11 April 2006 16:34 > To: FreeRadius users mailing list > Subject: RE: How do I set up simple AD integration? > > > You would still needwith_ntdomain_hack = yes > > But that isn't your actual problem. > > It never called ntlm_auth > I'd seen that. What I was trying to do (unsuccessfully 'cos I'm ignorant) was to try to find out what triggers ntlm_auth to run. Is there something in another file that sets this up? Steve. __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
> -Original Message-
> From:
> [EMAIL PROTECTED]
> ists.freer
> adius.org
> [mailto:freeradius-users-bounces+sburton=shepherd-construction
> [EMAIL PROTECTED]
> ts.freeradius.org]On Behalf Of Burton, Steven
> Sent: 11 April 2006 16:15
> To: FreeRadius users mailing list
> Subject: RE: How do I set up simple AD integration?
>
>
>
>
> > -Original Message-
> > From:
> > [EMAIL PROTECTED]
> > ists.freer
> > adius.org
> > [mailto:freeradius-users-bounces+sburton=shepherd-construction
> > [EMAIL PROTECTED]
> > ts.freeradius.org]On Behalf Of King, Michael
> > Sent: 11 April 2006 15:40
> > To: FreeRadius users mailing list
> > Subject: RE: How do I set up simple AD integration?
> >
> >
> > >
> > > Is there a how-to or tutorial for this simple case? I have
> > > searched this list and google generally. I have read the
> > > articles referred to on the FreeRadius home page and several
> > > others and I still can't see how the configuration works. Any
> > > and all help gratefully received.
> > >
> > > Steve.
> > >
> >
> >
> > As for the simple how to, they're a few, but none that I
> > would consider
> > easy to follow.
> >
> > What your looking for this the following lines: (I have
> > two ntlm_auth
> > Lines, the original that is commented out, and the one that I
> > use. They
> > are long, so they will break across lines, but they are not
> > that way in
> > my config file)
> >
> >
> > # Windows sends us a username in the form of
> > # DOMAIN\user, but sends the challenge response
> > # based on only the user portion. This hack
> > # corrects for that incorrect behavior.
> > #
> > with_ntdomain_hack = yes
> >
> > # The module can perform authentication itself, OR
> > # use a Windows Domain Controller. This
> configuration
> > # directive tells the module to call the ntlm_auth
> > # program, which will do the authentication,
> > and return
> > # the NT-Key. Note that you MUST have
> "winbindd" and
> > # "nmbd" running on the local machine for ntlm_auth
> > # to work. See the ntlm_auth program documentation
> > # for details.
> > #
> > # Be VERY careful when editing the following line!
> > #
> > #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
> > --username=%{Stripped-User-Name:-%{User-Name:-None}}
> > --challenge=%{mschap:Challenge:-00}
> > --nt-response=%{mschap:NT-Response:-00}"
> > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> > --username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
> > --nt-response=%{mschap:NT-Response}"
>
> This stanza is a enclosed with the mschap section, still
> nothing ventured
> I changed the line and unfolded it and ran radiusd -X. The
> first request didn't match anything usefull and was rejected
> by System. I tried again but ticked the box 'CHAP' on
> NTRadPing and got the output:
>
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/etc/raddb/proxy.conf
> Config: including file: /usr/local/etc/raddb/clients.conf
> Config: including file: /usr/local/etc/raddb/snmp.conf
> Config: including file: /usr/local/etc/raddb/eap.conf
> Config: including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/var"
> main: logdir = "/var/log"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/var/log/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospa
Re: How do I set up simple AD integration?
"Burton, Steven" <[EMAIL PROTECTED]> wrote: > This stanza is a enclosed with the mschap section, still nothing ventured > I changed the line and unfolded it and ran radiusd -X. The first > request didn't match anything usefull and was rejected by System. I > tried again but ticked the box 'CHAP' on NTRadPing and got the > output: You can't do CHAP to MS AD. It's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
You would still needwith_ntdomain_hack = yes
But that isn't your actual problem.
It never called ntlm_auth
> -Original Message-
> From:
> [EMAIL PROTECTED]
> g
> [mailto:[EMAIL PROTECTED]
> adius.org] On Behalf Of Burton, Steven
> Sent: Tuesday, April 11, 2006 11:15 AM
> To: FreeRadius users mailing list
> Subject: RE: How do I set up simple AD integration?
>
>
>
> > -Original Message-
> > From:
> > [EMAIL PROTECTED]
> > ists.freer
> > adius.org
> > [mailto:freeradius-users-bounces+sburton=shepherd-construction
> > [EMAIL PROTECTED]
> > ts.freeradius.org]On Behalf Of King, Michael
> > Sent: 11 April 2006 15:40
> > To: FreeRadius users mailing list
> > Subject: RE: How do I set up simple AD integration?
> >
> >
> > >
> > > Is there a how-to or tutorial for this simple case? I
> have searched
> > > this list and google generally. I have read the articles
> referred to
> > > on the FreeRadius home page and several others and I
> still can't see
> > > how the configuration works. Any and all help gratefully received.
> > >
> > > Steve.
> > >
> >
> >
> > As for the simple how to, they're a few, but none that I would
> > consider easy to follow.
> >
> > What your looking for this the following lines: (I have two
> > ntlm_auth Lines, the original that is commented out, and
> the one that
> > I use. They are long, so they will break across lines, but
> they are
> > not that way in my config file)
> >
> >
> > # Windows sends us a username in the form of
> > # DOMAIN\user, but sends the challenge response
> > # based on only the user portion. This hack
> > # corrects for that incorrect behavior.
> > #
> > with_ntdomain_hack = yes
> >
> > # The module can perform authentication itself, OR
> > # use a Windows Domain Controller. This
> configuration
> > # directive tells the module to call the ntlm_auth
> > # program, which will do the authentication, and
> > return
> > # the NT-Key. Note that you MUST have
> "winbindd" and
> > # "nmbd" running on the local machine for ntlm_auth
> > # to work. See the ntlm_auth program documentation
> > # for details.
> > #
> > # Be VERY careful when editing the following line!
> > #
> > #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
> > --username=%{Stripped-User-Name:-%{User-Name:-None}}
> > --challenge=%{mschap:Challenge:-00}
> > --nt-response=%{mschap:NT-Response:-00}"
> > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> > --username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
> > --nt-response=%{mschap:NT-Response}"
>
> This stanza is a enclosed with the mschap section, still
> nothing ventured
> I changed the line and unfolded it and ran radiusd -X. The
> first request didn't match anything usefull and was rejected
> by System. I tried again but ticked the box 'CHAP' on
> NTRadPing and got the output:
>
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/etc/raddb/proxy.conf
> Config: including file: /usr/local/etc/raddb/clients.conf
> Config: including file: /usr/local/etc/raddb/snmp.conf
> Config: including file: /usr/local/etc/raddb/eap.conf
> Config: including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/var"
> main: logdir = "/var/log"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/var/log/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no&qu
Re: How do I set up simple AD integration?
Steve,
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"
This stanza is a enclosed with the mschap section, still nothing ventured
I changed the line and unfolded it and ran radiusd -X. The first request didn't
match anything usefull and was rejected by System. I tried again but ticked the
box 'CHAP' on NTRadPing and got the output:
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
rlm_chap: login attempt by "burst01" with CHAP password
rlm_chap: Could not find clear text password for user burst01
modcall[authenticate]: module "chap" returns invalid for request 0
modcall: leaving group CHAP (returns invalid) for request 0
You can't do this.
If you want to do ntlm_auth, you need to use an authentication protocol
that provides FreeRADIUS with either the user's (1) cleartext
credentials or (2) the user's NT credentials.
CHAP won't work - it's impossible. However PAP will work, as will
MS-CHAP. CHAP is different from MS-CHAP.
best regards, josh.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
> -Original Message-
> From:
> [EMAIL PROTECTED]
> ists.freer
> adius.org
> [mailto:freeradius-users-bounces+sburton=shepherd-construction
> [EMAIL PROTECTED]
> ts.freeradius.org]On Behalf Of King, Michael
> Sent: 11 April 2006 15:40
> To: FreeRadius users mailing list
> Subject: RE: How do I set up simple AD integration?
>
>
> >
> > Is there a how-to or tutorial for this simple case? I have
> > searched this list and google generally. I have read the
> > articles referred to on the FreeRadius home page and several
> > others and I still can't see how the configuration works. Any
> > and all help gratefully received.
> >
> > Steve.
> >
>
>
> As for the simple how to, they're a few, but none that I
> would consider
> easy to follow.
>
> What your looking for this the following lines: (I have
> two ntlm_auth
> Lines, the original that is commented out, and the one that I
> use. They
> are long, so they will break across lines, but they are not
> that way in
> my config file)
>
>
> # Windows sends us a username in the form of
> # DOMAIN\user, but sends the challenge response
> # based on only the user portion. This hack
> # corrects for that incorrect behavior.
> #
> with_ntdomain_hack = yes
>
> # The module can perform authentication itself, OR
> # use a Windows Domain Controller. This configuration
> # directive tells the module to call the ntlm_auth
> # program, which will do the authentication,
> and return
> # the NT-Key. Note that you MUST have "winbindd" and
> # "nmbd" running on the local machine for ntlm_auth
> # to work. See the ntlm_auth program documentation
> # for details.
> #
> # Be VERY careful when editing the following line!
> #
> #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
> --nt-response=%{mschap:NT-Response}"
This stanza is a enclosed with the mschap section, still nothing ventured
I changed the line and unfolded it and ran radiusd -X. The first request didn't
match anything usefull and was rejected by System. I tried again but ticked the
box 'CHAP' on NTRadPing and got the output:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output de
RE: How do I set up simple AD integration?
>
> Is there a how-to or tutorial for this simple case? I have
> searched this list and google generally. I have read the
> articles referred to on the FreeRadius home page and several
> others and I still can't see how the configuration works. Any
> and all help gratefully received.
>
> Steve.
>
As for the simple how to, they're a few, but none that I would consider
easy to follow.
What your looking for this the following lines: (I have two ntlm_auth
Lines, the original that is commented out, and the one that I use. They
are long, so they will break across lines, but they are not that way in
my config file)
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
with_ntdomain_hack = yes
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I set up simple AD integration?
Burton, Steven wrote: > However, although I can see tantalizing references to 'ntlm_auth' and > 'ntdomain' and the like in various files I cannot see how to trigger an AD > lookup from a RADIUS request. So far all I have achieved is: You are doing well. Too many people try to jump directly to the end. I *think* AD = LDAP is the piece you are missing. See where that gets you. I don't use either, so beyond pointing you in that direction, I can't help much. You also prob don't need the sql.conf file as I didn't see mention of an SQL server anywhere. There is probably an ldap.conf file or an ldap section of the radius.conf that you should look at. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
