Re: Can't figure out Group Authentication
Il 26/06/2012 17:14, Julson, Jim ha scritto:
Forgive my ignorance, but the variable that you are suggesting I use
would be something that I had to create locally on my RADIUS servers
right? The idea is that we use our central point of management which
in our case is Active Directory.
You have to define a local variable to hold the group name (or the group
SID, but while making auth faster it makes management harder). Then
assign to it a value based on where you receive your request from (a
switch, a public server, a private server, a VPN endpoint...) and
pass it to ntlm_auth in -require-membership-of option.
If the user trying to access is not in that group, he's denied access
(ntlm_auth checks group membership in AD).
We have hundreds of servers
ranging from RHEL 3 up to Ubuntu 12.04 as well as Windows boxes.
So managing groups on a per radius server basis isn't really a
good choice from a management perspective. Using the Active
Directory domain, we can have our admins move folks in and out
of groups as necessary.
That's exactly what AD is for. But I usually join the PCs to it so I can
have better integration (one for all: AD groups gets mapped to Unix groups).
Did I understand your suggestion right?
I don't think so.
Or is that variable --require-membership-of=
That's not a variable, that's a parameter for ntlm_auth.
something that can help me achieve what I want to do?
It restrict access to members of that group. IIUC that's what you need.
I thought I had to use LDAP for Group Authorization...
You don't need to. At least not for such a basic thing.
To be more clear (not actually tested):
1) add ATTRIBUTE Require-Group 3000 string to dictionary
2) add DEFAULT Require-Group := 'default-ad-group' to users
3) change ntlm_auth line in modules/mschap to include
--require-membership-of=%{Require-Group}
Now restart FR and it should accept only users in 'default-ad-group'.
If it's OK. now you have to find some way to differentiate the NAS (or
NAS group) from where the user is requesting access and use unlang to
change Require-Group value as needed.
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Il 22/06/2012 17:32, Julson, Jim ha scritto: Now, the problem is this. Following Alan DeKok's guide at http://deployingradius.com/documents/configuration/active_directory.html, I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort. There were a few things I had to go elsewhere to figure out, but I managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be for authenticating users on all of our Cisco devices, as well as remote access VPN users. So the problem is this. It's authenticating...a little too well. Why not add a default group var (to be overridden for specific clients) and pass it to ntlm_auth in --require-membership-of= parameter? That way you can filter who can authenticate from any NAS. And IIUC huntgroups, you can even define groups of clients... Please correct me if I'm wrong. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
Forgive my ignorance, but the variable that you are suggesting I use would be something that I had to create locally on my RADIUS servers right? The idea is that we use our central point of management which in our case is Active Directory. We have hundreds of servers ranging from RHEL 3 up to Ubuntu 12.04 as well as Windows boxes. So managing groups on a per radius server basis isn't really a good choice from a management perspective. Using the Active Directory domain, we can have our admins move folks in and out of groups as necessary. Did I understand your suggestion right? Or is that variable --require-membership-of= something that can help me achieve what I want to do? I thought I had to use LDAP for Group Authorization... -Original Message- From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of NdK Sent: Tuesday, June 26, 2012 3:36 AM To: freeradius-users@lists.freeradius.org Subject: Re: Can't figure out Group Authentication Il 22/06/2012 17:32, Julson, Jim ha scritto: Now, the problem is this. Following Alan DeKok's guide at http://deployingradius.com/documents/configuration/active_directory.html, I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal effort. There were a few things I had to go elsewhere to figure out, but I managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS server will be for authenticating users on all of our Cisco devices, as well as remote access VPN users. So the problem is this. It's authenticating...a little too well. Why not add a default group var (to be overridden for specific clients) and pass it to ntlm_auth in --require-membership-of= parameter? That way you can filter who can authenticate from any NAS. And IIUC huntgroups, you can even define groups of clients... Please correct me if I'm wrong. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Hi...
i able to get the openldap group authentication + PAP with radius , i
used the following settings ,
in users file ,
DEFAULT Ldap-Group == cn=staff,ou=groups,dc=openldap,dc=ihk,dc=com
Reply-Message = You are Accepted
DEFAULT Auth-Type := Reject
and in /etc/freeradius/moduls/ldap
server = ldap.ihx.com
identity = cn=admin,dc=openldap,dc=ihx,dc=com
password = abc
basedn = dc=openldap,dc=ihx,dc=com
filter = (mail=%{Stripped-User-Name:-%{User-Name}})
access_attr = mail
authtype = ldap
and uncomment the following lines in the /etc/freeradius/modules/ldap
groupname_attribute
groupmembership_filter
groupmembership_attribute
hope this helps,
Thank You
On 26 June 2012 20:44, Julson, Jim jjul...@marketron.com wrote:
Forgive my ignorance, but the variable that you are suggesting I use would
be something that I had to create locally on my RADIUS servers right? The
idea is that we use our central point of management which in our case is
Active Directory. We have hundreds of servers ranging from RHEL 3 up to
Ubuntu 12.04 as well as Windows boxes. So managing groups on a per radius
server basis isn't really a good choice from a management perspective.
Using the Active Directory domain, we can have our admins move folks in
and out of groups as necessary.
Did I understand your suggestion right? Or is that variable
--require-membership-of= something that can help me achieve what I want
to do? I thought I had to use LDAP for Group Authorization...
-Original Message-
From:
freeradius-users-bounces+jjulson=marketron@lists.freeradius.org[mailto:
freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On
Behalf Of NdK
Sent: Tuesday, June 26, 2012 3:36 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Can't figure out Group Authentication
Il 22/06/2012 17:32, Julson, Jim ha scritto:
Now, the problem is this. Following Alan DeKok's guide at
http://deployingradius.com/documents/configuration/active_directory.html,
I was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal
effort. There were a few things I had to go elsewhere to figure out, but I
managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I
was able to join my AD 2008 R2 Domain, I can list users, groups etc.. This
RADIUS server will be for authenticating users on all of our Cisco devices,
as well as remote access VPN users. So the problem is this. It's
authenticating...a little too well.
Why not add a default group var (to be overridden for specific
clients) and pass it to ntlm_auth in --require-membership-of=
parameter? That way you can filter who can authenticate from any NAS.
And IIUC huntgroups, you can even define groups of clients...
Please correct me if I'm wrong.
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
The information contained in this e-mail message may be confidential and
protected from disclosure. If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
I appreciate the configuration and the help.
Unfortunately the syntax will be a little different for the LDAP module since
I'm querying a Microsoft Active Directory and not an OpenLDAP Server. The
filters, access attributes and other various settings are completely different
from what Microsoft passes in their LDAP Attributes.
Again, thank you for the input though. If anyone else has what they use for
their Filters, I'd absolutely appreciate a working reference from
/etc/raddb/modules/ldap . I think that's my one main problem.
Thanks!
From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org
[mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On
Behalf Of dhanushka ranasinghe
Sent: Tuesday, June 26, 2012 9:51 PM
To: FreeRadius users mailing list
Subject: Re: Can't figure out Group Authentication
Hi...
i able to get the openldap group authentication + PAP with radius , i used
the following settings ,
in users file ,
DEFAULT Ldap-Group == cn=staff,ou=groups,dc=openldap,dc=ihk,dc=com
Reply-Message = You are Accepted
DEFAULT Auth-Type := Reject
and in /etc/freeradius/moduls/ldap
server = ldap.ihx.comhttp://ldap.ihx.com
identity = cn=admin,dc=openldap,dc=ihx,dc=com
password = abc
basedn = dc=openldap,dc=ihx,dc=com
filter = (mail=%{Stripped-User-Name:-%{User-Name}})
access_attr = mail
authtype = ldap
and uncomment the following lines in the /etc/freeradius/modules/ldap
groupname_attribute
groupmembership_filter
groupmembership_attribute
hope this helps,
Thank You
On 26 June 2012 20:44, Julson, Jim
jjul...@marketron.commailto:jjul...@marketron.com wrote:
Forgive my ignorance, but the variable that you are suggesting I use would be
something that I had to create locally on my RADIUS servers right? The idea is
that we use our central point of management which in our case is Active
Directory. We have hundreds of servers ranging from RHEL 3 up to Ubuntu 12.04
as well as Windows boxes. So managing groups on a per radius server basis
isn't really a good choice from a management perspective. Using the Active
Directory domain, we can have our admins move folks in and out of groups as
necessary.
Did I understand your suggestion right? Or is that variable
--require-membership-of= something that can help me achieve what I want to
do? I thought I had to use LDAP for Group Authorization...
-Original Message-
From:
freeradius-users-bounces+jjulson=marketron@lists.freeradius.orgmailto:marketron@lists.freeradius.org
[mailto:freeradius-users-bounces+jjulsonmailto:freeradius-users-bounces%2Bjjulson=marketron@lists.freeradius.orgmailto:marketron@lists.freeradius.org]
On Behalf Of NdK
Sent: Tuesday, June 26, 2012 3:36 AM
To:
freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org
Subject: Re: Can't figure out Group Authentication
Il 22/06/2012 17:32, Julson, Jim ha scritto:
Now, the problem is this. Following Alan DeKok's guide at
http://deployingradius.com/documents/configuration/active_directory.html, I
was able to get FreeRADIUS 2.X running on CentOS 6.2 with pretty minimal
effort. There were a few things I had to go elsewhere to figure out, but I
managed. I have FreeRADIUS setup and authenticating using NTLM_AUTH. I was
able to join my AD 2008 R2 Domain, I can list users, groups etc.. This RADIUS
server will be for authenticating users on all of our Cisco devices, as well
as remote access VPN users. So the problem is this. It's authenticating...a
little too well.
Why not add a default group var (to be overridden for specific
clients) and pass it to ntlm_auth in --require-membership-of=
parameter? That way you can filter who can authenticate from any NAS.
And IIUC huntgroups, you can even define groups of clients...
Please correct me if I'm wrong.
BYtE,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information contained in this e-mail message may be confidential and
protected from disclosure. If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The information contained in this e-mail message may be confidential and
protected from disclosure. If you are not the intended recipient, any
dissemination, distribution or copying is strictly prohibited. If you
think that you have received this e-mail message in error, please notify
the sender immediately by replying to this message and then delete it
from your system.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Julson, Jim wrote: Okay, so I think I’m getting closer. But I have a few challenges still. I am slowly learning how to parse the RADIUS –X debug output, now it’s a matter of knowing what to do with the information. Use the handy form at: networkradius.com/freeradius.html It tells you the important things to look at. 1. Domain Groups with spaces sometimes would or wouldn't work. (Is that the case with FreeRADIUS?) It shouldn't be, but you never know. 2. Recursive searches were a problem. See below for how the basic Active Directory structure looks for us (Note the spaces in the names). For Cacti, I had to create a new OU, with a new Security Group that didn’t have spaces in it. That was the only way I could get LDAP Binds to work for Group Authentication. (I find it hard to belive that’s the case with FreeRADIUS…I tend to lean more towards my bad configuration). Recursive searches are supported in FreeRADIUS. See the rebind configuration in the ldap module. So, in that example, if I wanted to have a user be Authenticated who resides in “ADMIN – Users”, but the group is in “ADMIN – Groups”, does it matter to the RADIUS LDAP module? It shouldn't. NOTE: I am kind of lost here. I see so many people using so many different syntaxes that I’m not sure if I’m using the right one. The documentation is correct. Almost every third-party site is wrong. At present, the “users” file is completely default except for the following lines I’ve added at the very top. So, no matter what my LDAP output shows, If I uncomment the two lines for ntlm_auth, I can login with any Domain User regardless of the top 2 lines that say “Domain Admins”, and all others are rejected. So I’m thinking ultimately my problem is not just here, but also with the LDAP bind taking place as you can see below. ** */etc/raddb/users** * DEFAULT Ldap-Group == CN=Domain Admins,CN=ADMIN - Groups,DC=DOMAIN,DC=HOME,DC=COM, You just need the group name admin or sales. Not the whole path. Auth-Type = ntlm_auth DEFAULT Auth-Type = Reject You don't need the default reject. The server will ALWAYS reject people it doesn't know. Here’s the RADIUSD –X output from my last auth attempt. BEGIN RADIUS – X DEBUG OUTPUT NOTE: I’ve changed all my domain information for this troubleshooting, and also highlighted anywhere it’s referenced. I’m hoping I’m On the right track with what I’ve highlighted below as to where I believe the problem is. Part of the reason for the debug output is to show you what's going on. It prints out the LDAP queries it does. You can copy them, and use them in command-line tests with ldapsearch. That helps. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
Thank you once again Alan. I know you probably have to face palm yourself sometimes when you see the same questions over and over. I appreciate your patience with me. I don't want someone to do it for me, I want to learn it so I can support it. I have decided to start fresh. I had clean copies of every file I've ever touched, so I'm going to try to tackle this sometime during the week. This Amazon AWS Cloud VPC isn't going to build itself :) -Original Message- From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Monday, June 25, 2012 6:54 AM To: FreeRadius users mailing list Subject: Re: Can't figure out Group Authentication Julson, Jim wrote: Okay, so I think I’m getting closer. But I have a few challenges still. I am slowly learning how to parse the RADIUS –X debug output, now it’s a matter of knowing what to do with the information. Use the handy form at: networkradius.com/freeradius.html It tells you the important things to look at. 1. Domain Groups with spaces sometimes would or wouldn't work. (Is that the case with FreeRADIUS?) It shouldn't be, but you never know. 2. Recursive searches were a problem. See below for how the basic Active Directory structure looks for us (Note the spaces in the names). For Cacti, I had to create a new OU, with a new Security Group that didn’t have spaces in it. That was the only way I could get LDAP Binds to work for Group Authentication. (I find it hard to belive that’s the case with FreeRADIUS…I tend to lean more towards my bad configuration). Recursive searches are supported in FreeRADIUS. See the rebind configuration in the ldap module. So, in that example, if I wanted to have a user be Authenticated who resides in “ADMIN – Users”, but the group is in “ADMIN – Groups”, does it matter to the RADIUS LDAP module? It shouldn't. NOTE: I am kind of lost here. I see so many people using so many different syntaxes that I’m not sure if I’m using the right one. The documentation is correct. Almost every third-party site is wrong. At present, the “users” file is completely default except for the following lines I’ve added at the very top. So, no matter what my LDAP output shows, If I uncomment the two lines for ntlm_auth, I can login with any Domain User regardless of the top 2 lines that say “Domain Admins”, and all others are rejected. So I’m thinking ultimately my problem is not just here, but also with the LDAP bind taking place as you can see below. ** */etc/raddb/users** * DEFAULT Ldap-Group == CN=Domain Admins,CN=ADMIN - Groups,DC=DOMAIN,DC=HOME,DC=COM, You just need the group name admin or sales. Not the whole path. Auth-Type = ntlm_auth DEFAULT Auth-Type = Reject You don't need the default reject. The server will ALWAYS reject people it doesn't know. Here’s the RADIUSD –X output from my last auth attempt. BEGIN RADIUS – X DEBUG OUTPUT NOTE: I’ve changed all my domain information for this troubleshooting, and also highlighted anywhere it’s referenced. I’m hoping I’m On the right track with what I’ve highlighted below as to where I believe the problem is. Part of the reason for the debug output is to show you what's going on. It prints out the LDAP queries it does. You can copy them, and use them in command-line tests with ldapsearch. That helps. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Julson, Jim wrote: Now, I then setup my Cisco router accordingly, and then did an SSH test to it using my AD Account. Voila! It worked great. _*/However, so did every other Domain User account in the environment. /*_ This goes back to me being so new to RADIUS and Linux where I don't feel like I'm fully grasping all of the directives within the configuration files, and exactly how they all tie together. Honestly, I don't remember much of that, either. When I configure the server, I usually go back and read the comments *I wrote* to figure out what to do. But for your issue, you told the server to use AD to authenticate all users. So that's what it did. *So, how do I lock down the SSH Authentication to an Active Directory Group of users, or individual users? * Remember, go easy on me. I'll provide whatever you need to help. I'm assuming you will ask for my RADIUSD -X output, so I've attached that as well. 1) configure AD as an LDAP server. See raddb/modules/ldap 2) add ldap to the instantiate section of radiusd.conf There are references to ldap in authorize and authentication You won't need those. 3) Do group checking with LDAP-Group == group name See the FAQ for examples of rejecting users with a particular group. The FAQ uses Group, which is Unix group from /etc/passwd. Just use LDAP-Group instead. NOTE: One thing I don't understand is how in Alan DeKok's write up from the link above, he says don't use the DEFAULTAuth-Type = ntlm_auth in the /etc/raddb/users file, but yet that's one of the final steps to test in the write-up. It's an intermediate step. It's necessary only when you're forcing authentication back-ends. Maybe it's because I am so new, but I've been through that document probably 30 times line by line, and yet every time I remove that entry, it breaks the Authentication. Yes. The server needs to now HOW to authenticate the users. The incoming RADIUS packet contains what KIND of authentication method. PAP, CHAP, MS-CHAP, etc. So the server has no choice there. But where does it get the passwords from? Normally this is a DB. But AD isn't a DB (for various reasons). Instead, the Auth-Type = ntlm_auth reformats and *proxies* the authentication over the Samba protocol, using the ntlm_auth program. i.e. it hands off the MSCHAP stuff to ntlm_auth, and asks is this correct? If the server has passwords from a DB, it can just authenticate the user directly. If it doesn't have a password for that user, it has to hand off the authentication to someone else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
Alan, That was about the most clear and concise description of the process I've found/heard to date. Thank you for taking the time to educate me. I will attempt to get this going today. I think I have everything that I need at this point. Have a good one. -Original Message- From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org [mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Saturday, June 23, 2012 6:22 AM To: FreeRadius users mailing list Subject: Re: Can't figure out Group Authentication Julson, Jim wrote: Now, I then setup my Cisco router accordingly, and then did an SSH test to it using my AD Account. Voila! It worked great. _*/However, so did every other Domain User account in the environment. /*_ This goes back to me being so new to RADIUS and Linux where I don't feel like I'm fully grasping all of the directives within the configuration files, and exactly how they all tie together. Honestly, I don't remember much of that, either. When I configure the server, I usually go back and read the comments *I wrote* to figure out what to do. But for your issue, you told the server to use AD to authenticate all users. So that's what it did. *So, how do I lock down the SSH Authentication to an Active Directory Group of users, or individual users? * Remember, go easy on me. I'll provide whatever you need to help. I'm assuming you will ask for my RADIUSD -X output, so I've attached that as well. 1) configure AD as an LDAP server. See raddb/modules/ldap 2) add ldap to the instantiate section of radiusd.conf There are references to ldap in authorize and authentication You won't need those. 3) Do group checking with LDAP-Group == group name See the FAQ for examples of rejecting users with a particular group. The FAQ uses Group, which is Unix group from /etc/passwd. Just use LDAP-Group instead. NOTE: One thing I don't understand is how in Alan DeKok's write up from the link above, he says don't use the DEFAULTAuth-Type = ntlm_auth in the /etc/raddb/users file, but yet that's one of the final steps to test in the write-up. It's an intermediate step. It's necessary only when you're forcing authentication back-ends. Maybe it's because I am so new, but I've been through that document probably 30 times line by line, and yet every time I remove that entry, it breaks the Authentication. Yes. The server needs to now HOW to authenticate the users. The incoming RADIUS packet contains what KIND of authentication method. PAP, CHAP, MS-CHAP, etc. So the server has no choice there. But where does it get the passwords from? Normally this is a DB. But AD isn't a DB (for various reasons). Instead, the Auth-Type = ntlm_auth reformats and *proxies* the authentication over the Samba protocol, using the ntlm_auth program. i.e. it hands off the MSCHAP stuff to ntlm_auth, and asks is this correct? If the server has passwords from a DB, it can just authenticate the user directly. If it doesn't have a password for that user, it has to hand off the authentication to someone else. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
=domain,DC=com
[ldap] rebind to URL
ldap://ForestDnsZones.domain.example.com/DC=ForestDnsZones,DC=example,DC=domain,DC=com
[ldap] rebind to URL
ldap://domain.example.com/CN=Configuration,DC=example,DC=domain,DC=com
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user USERNAMEHERE authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication may
fail because of this.
++[pap] returns noop
###
Is this what the actual problem is? Looks like it to me. I thought I
addressed this with the line I put in /etc/raddb/users stating that the
Auth-Type = ntlm_auth was good for Ldap-Group Domain Admins Is my syntax
wrong?
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the
user
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -USERNAMEHERE
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 72 to 10.10.0.5 port 1645
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 72 with timestamp +10
Ready to process requests.
###
###
###
###
END OF RADIUSD -X DEBUG OUTPUT
-Original Message-
From: freeradius-users-bounces+jjulson=marketron@lists.freeradius.org
[mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org] On
Behalf Of Julson, Jim
Sent: Saturday, June 23, 2012 7:44 AM
To: FreeRadius users mailing list
Subject: RE: Can't figure out Group Authentication
Alan,
That was about the most clear and concise description of the process I've
found/heard to date. Thank you for taking the time to educate me. I will
attempt to get this going today. I think I have everything that I need at this
point.
Have a good one.
-Original Message-
From:
freeradius-users-bounces+jjulson=marketron@lists.freeradius.orgmailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org
[mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org]mailto:[mailto:freeradius-users-bounces+jjulson=marketron@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Saturday, June 23, 2012 6:22 AM
To: FreeRadius users mailing list
Subject: Re: Can't figure out Group Authentication
Julson, Jim wrote:
Now, I then setup my Cisco router accordingly, and then did an SSH
test to it using my AD Account. Voila! It worked great. _*/However,
so did every other Domain User account in the environment. /*_ This
goes back to me being so new to RADIUS and Linux where I don't feel
like I'm fully grasping all of the directives within the configuration
files, and exactly how they all tie together.
Honestly, I don't remember much of that, either. When I configure the
server, I usually go back and read the comments *I wrote* to figure out what to
do.
But for your issue, you told the server to use AD to authenticate all
users. So that's what it did.
*So, how do I lock down the SSH Authentication to an Active Directory
Group of users, or individual users? * Remember, go easy on me. I'll
provide whatever you need to help. I'm assuming you will ask for my
RADIUSD -X output, so I've attached that as well.
1) configure AD as an LDAP server. See raddb/modules/ldap
2) add ldap to the instantiate section of radiusd.conf
There are references to ldap in authorize and authentication
You won't need those.
3) Do group checking with LDAP-Group == group name
See the FAQ for examples of rejecting users with a particular group.
The FAQ uses Group, which is Unix group from /etc/passwd. Just use
LDAP-Group instead.
NOTE: One thing I don't understand is how in Alan DeKok's write up from
the link above, he says don't use the DEFAULTAuth-Type = ntlm_auth
in the /etc/raddb/users file, but yet that's one of the final steps
to test in the write-up.
It's an intermediate step. It's necessary only when you're forcing
authentication back-ends.
Maybe it's because I am so new, but I've been through that document
probably
Re: Can't figure out Group Authentication
You've got to set up some group checking...you haven't, so ldap-group means nothing to the server so you hit the default reject that you added... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
Any hints as to where I’d possibly begin? I might be able to stumble through it if I at least knew what files I had to edit I think. From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: Friday, June 22, 2012 2:36 PM To: Julson, Jim; freeradius-users@lists.freeradius.org Subject: Re: Can't figure out Group Authentication You've got to set up some group checking...you haven't, so ldap-group means nothing to the server so you hit the default reject that you added... alan The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can't figure out Group Authentication
Hi, Any hints as to where I’d possibly begin? if you want to use LDAP to define./check groups, then you need to look at the LDAP module - if you look at this module you can see how to configure it , its fairly well self-documented and there are LDAP HOWTOs and docs on the main freeradius document sites. alternatively, you could use eg PERL and the LDAP CPAN module to do the work in that instead. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can't figure out Group Authentication
You rock man ! I will dive deeper into this and see what I can conjur up. Thanks again for the time. I've been looking through the list archives for days and haven't found anything direct that could point me in this direction. Then again, I probably passed over it many times just because I'm so burnt out on this :) Have a good weekend. -Original Message- From: alan buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: Friday, June 22, 2012 3:15 PM To: Julson, Jim Cc: freeradius-users@lists.freeradius.org Subject: Re: Can't figure out Group Authentication Hi, Any hints as to where I’d possibly begin? if you want to use LDAP to define./check groups, then you need to look at the LDAP module - if you look at this module you can see how to configure it , its fairly well self-documented and there are LDAP HOWTOs and docs on the main freeradius document sites. alternatively, you could use eg PERL and the LDAP CPAN module to do the work in that instead. alan The information contained in this e-mail message may be confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please notify the sender immediately by replying to this message and then delete it from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
