Re: FreeRADIUS Active Directory Integration HOWTO

2009-10-28 Thread Ivan Kalik 
>  I´m new user. Does anyone help-me with FreeRADIUS Active
> Directory
> Integration
> HOWTO
> ?
> This paper is no more avaiable on site.

http://deployingradius.com/documents/configuration/active_directory.html

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius active directory integration fails with "no such realm"

2009-07-08 Thread Andrei-Florian Staicu 

Alan DeKok wrote:

Andrei-Florian Staicu wrote:
  

Hello again. I've reached the output from here:
http://pastebin.com/d19f28a24 , and i still don't understand why it
doesen't call the ntlm_auth line



  It looks like you are adding a "Proxy-To-Realm := LOCAL".

...
  

 PEAP: Sending tunneled request
   EAP-Message =
0x02060018014950534f305c616e647265692e737461696375
   FreeRADIUS-Proxied-To = 127.0.0.1
   User-Name = "IPSO0\\andrei.staicu"
server inner-tunnel {
+- entering group authorize
   rlm_realm: Looking up realm "IPSO0" for User-Name =
"IPSO0\andrei.staicu"
   rlm_realm: Found realm "IPSO0"
   rlm_realm: Adding Stripped-User-Name = "andrei.staicu"
   rlm_realm: Adding Realm = "IPSO0"
   rlm_realm: Authentication realm is LOCAL.
++[ntdomain] returns noop
++[mschap] returns noop
++[control] returns noop



  Why is that "update control" section there?  What is in it?


  

 rlm_eap: Request is supposed to be proxied to Realm LOCAL.  Not doing


EAP.

  It's being proxied to realm LOCAL.  You have added a LOCAL realm.
Don't do that.

  

++[eap] returns noop
 WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
exist!  Cancelling invalid proxy request.



  Even more proof.  The IPSO0 realm above is added because it exists.
The server does NOT add a "Proxy-To-Realm := LOCAL".  You have done
that.  Delete it from your configuration.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  

It works now. Thank you very much for clearing thing up for me.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius active directory integration fails with "no such realm"

2009-07-08 Thread Alan DeKok 
Andrei-Florian Staicu wrote:
> Hello again. I've reached the output from here:
> http://pastebin.com/d19f28a24 , and i still don't understand why it
> doesen't call the ntlm_auth line

  It looks like you are adding a "Proxy-To-Realm := LOCAL".

...
>  PEAP: Sending tunneled request
>EAP-Message =
>0x02060018014950534f305c616e647265692e737461696375
>FreeRADIUS-Proxied-To = 127.0.0.1
>User-Name = "IPSO0\\andrei.staicu"
>server inner-tunnel {
>+- entering group authorize
>rlm_realm: Looking up realm "IPSO0" for User-Name =
>"IPSO0\andrei.staicu"
>rlm_realm: Found realm "IPSO0"
>rlm_realm: Adding Stripped-User-Name = "andrei.staicu"
>rlm_realm: Adding Realm = "IPSO0"
>rlm_realm: Authentication realm is LOCAL.
>++[ntdomain] returns noop
>++[mschap] returns noop
>++[control] returns noop

  Why is that "update control" section there?  What is in it?


>  rlm_eap: Request is supposed to be proxied to Realm LOCAL.  Not doing
EAP.

  It's being proxied to realm LOCAL.  You have added a LOCAL realm.
Don't do that.

>++[eap] returns noop
>  WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not
> exist!  Cancelling invalid proxy request.

  Even more proof.  The IPSO0 realm above is added because it exists.
The server does NOT add a "Proxy-To-Realm := LOCAL".  You have done
that.  Delete it from your configuration.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius active directory integration fails with "no such realm"

2009-07-08 Thread Andrei-Florian Staicu 

Ivan Kalik wrote:

Ivan Kalik wrote:


One thing stands out though in the output of freeradius -X (only after
changing the order of suffix and ntdomain in sites-available/default
and
radiusd.conf:
++[mschap] returns noop
rlm_realm: Looking up realm "IPSO0" for User-Name =
"IPSO0\andrei.staicu"
rlm_realm: No such realm "IPSO0"
++[ntdomain] returns noop
rlm_realm: No '@' in User-Name = "IPSO0\andrei.staicu", looking up
realm
NULL
rlm_realm: No such realm "NULL"

IPSO0 is the realm name for the domain ipso.biz (not the public site;
this is internal and resolved as such by our dns)
I've tried for about two weeks now, but i still have no ideea on how to
define the realm IPSO0.


Look at proxy.conf.

Ivan Kalik
Kalik Informatika ISP

  

Hello again

I tried defining the realm IPSO0 (probably wrong) and i see the requests
being proxied to it, but it finally failes



You have. It should be defined as local realm:

realm IPSO0 {
}

Ivan Kalik
Kalik Informatika ISP
  
Hello again. I've reached the output from here: 
http://pastebin.com/d19f28a24 , and i still don't understand why it 
doesen't call the ntlm_auth line

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius active directory integration fails with "no such realm"

2009-07-07 Thread Ivan Kalik 
> Ivan Kalik wrote:
>>> One thing stands out though in the output of freeradius -X (only after
>>> changing the order of suffix and ntdomain in sites-available/default
>>> and
>>> radiusd.conf:
>>> ++[mschap] returns noop
>>> rlm_realm: Looking up realm "IPSO0" for User-Name =
>>> "IPSO0\andrei.staicu"
>>> rlm_realm: No such realm "IPSO0"
>>> ++[ntdomain] returns noop
>>> rlm_realm: No '@' in User-Name = "IPSO0\andrei.staicu", looking up
>>> realm
>>> NULL
>>> rlm_realm: No such realm "NULL"
>>>
>>> IPSO0 is the realm name for the domain ipso.biz (not the public site;
>>> this is internal and resolved as such by our dns)
>>> I've tried for about two weeks now, but i still have no ideea on how to
>>> define the realm IPSO0.
>>>
>>
>> Look at proxy.conf.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
> Hello again
>
> I tried defining the realm IPSO0 (probably wrong) and i see the requests
> being proxied to it, but it finally failes

You have. It should be defined as local realm:

realm IPSO0 {
}

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius active directory integration fails with "no such realm"

2009-07-07 Thread Andrei-Florian Staicu 

Ivan Kalik wrote:

One thing stands out though in the output of freeradius -X (only after
changing the order of suffix and ntdomain in sites-available/default and
radiusd.conf:
++[mschap] returns noop
rlm_realm: Looking up realm "IPSO0" for User-Name = "IPSO0\andrei.staicu"
rlm_realm: No such realm "IPSO0"
++[ntdomain] returns noop
rlm_realm: No '@' in User-Name = "IPSO0\andrei.staicu", looking up realm
NULL
rlm_realm: No such realm "NULL"

IPSO0 is the realm name for the domain ipso.biz (not the public site;
this is internal and resolved as such by our dns)
I've tried for about two weeks now, but i still have no ideea on how to
define the realm IPSO0.



Look at proxy.conf.

Ivan Kalik
Kalik Informatika ISP
  

Hello again

I tried defining the realm IPSO0 (probably wrong) and i see the requests 
being proxied to it, but it finally failes with Login incorrect (Home 
Server says so): [IPSO0\\andrei.staicu/]

I put the output here http://pastebin.com/m516967e2 , should it help.
All i see in the output is ++[mschap] returns noop. Should the module 
"do" something before failing?


Thanks

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius active directory integration fails with "no such realm"

2009-07-06 Thread Ivan Kalik 
> One thing stands out though in the output of freeradius -X (only after
> changing the order of suffix and ntdomain in sites-available/default and
> radiusd.conf:
> ++[mschap] returns noop
> rlm_realm: Looking up realm "IPSO0" for User-Name = "IPSO0\andrei.staicu"
> rlm_realm: No such realm "IPSO0"
> ++[ntdomain] returns noop
> rlm_realm: No '@' in User-Name = "IPSO0\andrei.staicu", looking up realm
> NULL
> rlm_realm: No such realm "NULL"
>
> IPSO0 is the realm name for the domain ipso.biz (not the public site;
> this is internal and resolved as such by our dns)
> I've tried for about two weeks now, but i still have no ideea on how to
> define the realm IPSO0.

Look at proxy.conf.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius active directory integration fails with "no such realm"

2009-07-06 Thread A . L . M . Buxey 
Hi,

>
> One thing stands out though in the output of freeradius -X (only after  
> changing the order of suffix and ntdomain in sites-available/default and  
> radiusd.conf:
> ++[mschap] returns noop

ensure that preprocess module is called first and then ensure that
with_ntdomain_hack is set to on


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Active Directory Integration

2009-05-15 Thread A . L . M . Buxey 
hi,

you still have ntlm_auth in your authorise section...thats wrong.
take ntlm_auth out of there.

edit modules/mschap and uncomment the ntlm_auth line (and configure
anything else you need such as MPPE) and then ensure that
mschap is called in the virtual server (sites-enabled/default)
and inner-tunnel (if using EAP) in the authenticate section.


the default config as supplied by FreeRADIUS *WORKS* - I can
vouch for that having started on many greenfield sites with a
bare new FreeRADIUS server and getting packets auth'd with just
a few config changes for the required purpose.

i think you might be getting confused with the 'authorize'
terminology.  the server first checks to see if the user-name
is authorised to connect (ie has the 'rights' to connect from
a NAS, at a certain time etc etc), this stops it having to
check the password first - a waste of auth server time! -
the server then checks the authentication (ie is the password
correct?) if the user is allowed to connect.  after this,
the post-auth and accounting is done.

remember, if using EAP, the server will read eap.conf and
by default will then use the inner-tunnel virtual server -
so if using EAP you have THOSE auth/auth/acct sections to
deal with too!

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Active Directory Integration

2009-05-14 Thread Alan DeKok 
Davies, Mike wrote:
> Thanks for the catch on listing ntlm_auth in authorize.  I followed the
> deployingradius.com link.

  Sorry, but no.  That page does NOT say to list "ntlm_auth" in the
"authorize" section.

>  I’m still not getting it.  I tried
> uncommenting the ntlm_auth = line in the mschap file.  I got the same
> result.

  Start with the default configuration files.  Follow the guide.  It
WILL work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Active Directory Integration

2009-05-14 Thread Ivan Kalik 
> Thanks for the catch on listing ntlm_auth in authorize.  I followed the
> deployingradius.com link.  I'm still not getting it.  I tried uncommenting
> the ntlm_auth = line in the mschap file.  I got the same result.
>

> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "DOM002\MD90345", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[unix] returns notfound
> [files] users: Matched entry DEFAULT at line 174
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [ntlm_auth] expand: --username=%{mschap:User-Name} ->

ntlm_auth is still listed in authorize (only lower down the order). Remove
it from there. And what happened to eap? It should be before unix, files,
etc.

> including configuration file /etc/raddb/modules/mschap
...
>  Module: Instantiating mschap
>   mschap {
> use_mppe = yes
> require_encryption = yes
> require_strong = yes
> with_ntdomain_hack = yes
>   }

You haven't enabled ntlm_auth in mschap module. You only have it as
standalone exec script.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Active Directory Integration

2009-05-14 Thread Ivan Kalik 
> We're not able to get the user authenticated.

Of course not. You listed ntlm_auth in authorize.

http://deployingradius.com/documents/configuration/active_directory.html

Skip to the bit: "Configuring FreeRADIUS to use ntlm_auth"

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Active Directory Integration

2009-05-14 Thread Nicolas Goutte 


Am 14.05.2009 um 19:31 schrieb Davies, Mike:


We’re not able to get the user authenticated.




[...]


radiusd:  Loading Virtual Servers 

server inner-tunnel {

 modules {

 Module: Checking authenticate {...} for more modules to load

 Module: Linked to module rlm_chap

 Module: Instantiating chap

 Module: Instantiating ntlm_auth

  exec ntlm_auth {

  wait = yes

  program = "/usr/bin/ntlm_auth --request-nt-key --domain=DOM002 -- 
username=%{mschap:User-Name} --password=%{User-Password}"


I do not know much about ntlm_auth but I can see that this call seems  
to differ widely compared to the change that was proposed in the last  
hours for Freeradius 2.1.6:



ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{% 
{Stripped-User-Name}:-%{User-Name:-None}} --challenge=% 
{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


See archive: http://lists.freeradius.org/pipermail/freeradius-users/ 
2009-May/msg00254.html



  input_pairs = "request"

  shell_escape = yes

  }


[...]

This e-mail message, including any attachments, is for the sole use  
of the intended recipient(s) and may contain information that is  
confidential and protected by law from unauthorized disclosure. Any  
unauthorized review, use, disclosure or distribution is prohibited.  
If you are not the intended recipient, please contact the sender by  
reply e-mail and destroy all copies of the original message.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html


Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS Active Directory Integration

2009-05-14 Thread A . L . M . Buxey 
Hi,

>  [r...@u701radius02 raddb]# ntlm_auth --request-nt-key --domain=dom002 
> --username=dw68406a --password=garrett05
> NT_STATUS_OK: Success (0x0)

good.


> +- entering group authorize {...}
> ++[preprocess] returns ok
> [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=DW68406A
> [ntlm_auth] expand: --password=%{User-Password} -> --password=
> Exec-Program output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc06a)
> Exec-Program-Wait: plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password 
> (0xc06a)
> Exec-Program: returned: 1
> ++[ntlm_auth] returns reject

no password supplied - %{Cleartext-Password}  instead? what makes you
think a password is supplied?  have you tried using the default ntlm_auth
line that comes with freeradius and just changing the --username part to
look like your chosen flavour (--domain is up to you...if needed)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html