Re: Machine Authentication
Hi, can you please give an example how to use unlang to stiick a $ to the username amusing. you even copied my typo/sticky key issue. I could spoonfeed you a recipe - but you'll blindly put it into your config without understanding it, what it does or why it might even open up huge security hole in your server..wouldnt you? :-| alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
Statement that appends stuff is the same in hints, users file, unlang ... Ivan Kalik Kalik Informatika ISP Dana 20/10/2008, alois blasbichler [EMAIL PROTECTED] piše: can you please give an example how to use unlang to stiick a $ to the username amusing. you even copied my typo/sticky key issue. I could spoonfeed you a recipe - but you'll blindly put it into your config without understanding it, what it does or why it might even open up huge security hole in your server..wouldnt you? :-| Nice if i can amuse you In german we say (Abwandlung eines bekannten Sprichworts) ein Beispiel sagt mehr als tausend Wörter Maybe sombody else could give me a link to some examples for unlang by luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
can you please give an example how to use unlang to stiick a $ to the username amusing. you even copied my typo/sticky key issue. I could spoonfeed you a recipe - but you'll blindly put it into your config without understanding it, what it does or why it might even open up huge security hole in your server..wouldnt you? :-| Nice if i can amuse you In german we say (Abwandlung eines bekannten Sprichworts) ein Beispiel sagt mehr als tausend Wörter Maybe sombody else could give me a link to some examples for unlang by luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
Thank you very much indeed! luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
Hi, Nice if i can amuse you In german we say (Abwandlung eines bekannten Sprichworts) ein Beispiel sagt mehr als tausend Wörter sure. and another well-known proverb is 'give a man a fish and he can eat for a day, teach a man to fish and he can eat for ever' ie i can give you 3 lines of unlang, or I can tell you to use unlang or a reg-rewrite and you can look at the unlang and rewrite examples and work out how and why it works ..but you want good technical guide? try this sort of stuff www.ja.net/documents/publications/technical-guides/8021x-tg-web.pdf page 25 uses unlang to set an updated attribute. you'd want to modify the call and routine just to check for \blahblah and then set the end of string to have a $ likewise, official novell docs for dealing with this kind of stuff http://www.novell.com/coolsolutions/feature/17044.html tells you how to add a $ for a host auth alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
There are plenty of examples in the documentation on how to append a realm (@whatever) to the username. Modify it to add $. Ivan Kalik Kalik Informatika ISP Dana 20/10/2008, alois blasbichler [EMAIL PROTECTED] piše: Quoting [EMAIL PROTECTED]: Hi, the username needs to have a $ - use unlang, for example to stiick a $ into stripped user name and use stripped user name for authentication Hello can you please give an example how to use unlang to stiick a $ to the username thank you luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
Did you try what is suggested in mschap module just above the ntlm_auth
line?
Ivan Kalik
Kalik Informatika ISP
Dana 17/10/2008, Casartello, Thomas [EMAIL PROTECTED] piše:
I've tried to find something on the past posts on this list about this. I
think I found what the problem is but was unable to find a solution. I'm
trying to make it so I can authenticate machines using the computer name. I
know I need to set the ntlm_auth command correctly but I couldn't find to what
or is there another solution? Here's my output:
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for host/billlgateway.ads.wsc.ma.edu with
NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}}
- --username=host/billlgateway.ads.wsc.ma.edu
[mschap] mschap2: 72
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=c0b3cf2bed56caa9
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=ef761f39a5775d58921cf42503c587f05060638411cf8555
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Thomas E. Casartello, Jr.
Wireless Network Technician
Linux Specialist
Information Technology
Westfield State College
Westfield, MA 01086
(413) 572-8245
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Machine Authentication
About changing it to User-Name?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, October 17, 2008 9:37 AM
To: FreeRadius users mailing list
Subject: Re: Machine Authentication
Did you try what is suggested in mschap module just above the ntlm_auth
line?
Ivan Kalik
Kalik Informatika ISP
Dana 17/10/2008, Casartello, Thomas [EMAIL PROTECTED] piše:
I've tried to find something on the past posts on this list about this. I
think I found what the problem is but was unable to find a solution. I'm
trying to make it so I can authenticate machines using the computer name. I
know I need to set the ntlm_auth command correctly but I couldn't find to what
or is there another solution? Here's my output:
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for host/billlgateway.ads.wsc.ma.edu with
NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}}
- --username=host/billlgateway.ads.wsc.ma.edu
[mschap] mschap2: 72
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=c0b3cf2bed56caa9
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=ef761f39a5775d58921cf42503c587f05060638411cf8555
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Thomas E. Casartello, Jr.
Wireless Network Technician
Linux Specialist
Information Technology
Westfield State College
Westfield, MA 01086
(413) 572-8245
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
Hi, the username needs to have a $ - use unlang, for example to stiick a $ into stripped user name and use stripped user name for authentication alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Machine Authentication
Figured it out by looking at an old radius.confhad to change user-name to
mschap-user-name
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello,
Thomas
Sent: Friday, October 17, 2008 9:42 AM
To: 'FreeRadius users mailing list'
Subject: RE: Machine Authentication
About changing it to User-Name?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, October 17, 2008 9:37 AM
To: FreeRadius users mailing list
Subject: Re: Machine Authentication
Did you try what is suggested in mschap module just above the ntlm_auth
line?
Ivan Kalik
Kalik Informatika ISP
Dana 17/10/2008, Casartello, Thomas [EMAIL PROTECTED] piše:
I've tried to find something on the past posts on this list about this. I
think I found what the problem is but was unable to find a solution. I'm
trying to make it so I can authenticate machines using the computer name. I
know I need to set the ntlm_auth command correctly but I couldn't find to what
or is there another solution? Here's my output:
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for host/billlgateway.ads.wsc.ma.edu with
NT-Password
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[mschap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[mschap]expand: --username=%{Stripped-User-Name:-%{User-Name:-None}}
- --username=host/billlgateway.ads.wsc.ma.edu
[mschap] mschap2: 72
[mschap]expand: --challenge=%{mschap:Challenge:-00} -
--challenge=c0b3cf2bed56caa9
[mschap]expand: --nt-response=%{mschap:NT-Response:-00} -
--nt-response=ef761f39a5775d58921cf42503c587f05060638411cf8555
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
Thomas E. Casartello, Jr.
Wireless Network Technician
Linux Specialist
Information Technology
Westfield State College
Westfield, MA 01086
(413) 572-8245
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine authentication
George KNIGHT wrote: Thank you for your reply David. I have a long way to go I guess. I understand. I've been hitting the same wall for 10 years. Q: How do I get FreeRADIUS working with a proprietary, undocumented, non-compliant vendor software? A: Damned if I know. When you find out, please tell us, so other people don't run into the same problem. ... and ... silence. Repeat that exchange every month for a decade, with different NAS vendors, Microsoft, supplicants, VPN's, etc. It's no wonder I'm a little cranky at times. I've put everything I know into the server, and people *still* get upset that FreeRADIUS is a PoS because they can't get some crappy vendor's products to work with it. What are we supposed to do? Your frustration is natural, but we're stuck, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine authentication
Hi, I sent an email to the list yesterday but it seems it wasn't delivered. I'm resending it again. /GK On Mon, May 5, 2008 at 12:10 PM, George KNIGHT [EMAIL PROTECTED] wrote: Hello All, I've been trying to setup an environment where WinCE OS client computers authenticate themselves using wireless connection to the freeradius v.2.0.3 server with PEAP. The authenticator will eventually be Cisco AP1242 AP but for now I am using Symbol AP300. The way that I want to set this up is that the computers with WinCE OS will be used by users who shouldn't be asked any user name or input. All I want is WinCE machines to authenticate themselves with freeradius through certificates. Basically, I want machine authentication as opposed to user authentication. Is there specific changes I have to do on conf files for this to work? Or any change at the client machines? Thank you. George Knight - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Machine authentication
George, Your message came through just fine. But this is a voluntary list of users, and your question falls into an area that over hangs a long way outside of FreeRadius, possibly outside of the expertise in this group. I know a little about this space, so FWIW: First off, Big Picture: to a certain extent, FR doesn't care if you are authenticating a user or a machine. It just approves (Access-Accept) the wireless connect or not. You have to configure FR so it finds, resolves and can authenticate the credentials supplied. In your case EAP-TLS would be appropriate. I believe Microsoft gives you one of them on WinCE. You will have to install certs on the WinCE devices that meet the criteria on the client and server EAP-TLS module. If you are trying to use FR to front end an Active Directory installation, this becomes more complicated. (I cannot describe that to you) But even so, Remote Access authentication to AD is not a User logon, it's just access. The defaults favor user credentials or certificates, butyou can configureanything that works, doesn't have to be users. Also, WinCE "machines" are not the same as WinXP systems with their relationship to an Active Directory. They are not domain members that logon AD users. So this is not "machine authentication" in the AD sense. That said, the EAP system in WinCE is a fairly equivalent to the XP EAP,But I'm not sure if there is automatic machine connection attempt or what the source of credentials would be. (maybe from the registry?) Likely if the ability exists, you have to define it in the EAP configuration. This is a WinCE EAP client issue. Good luck, Dave.May 6, 2008 08:49:37 AM, freeradius-users@lists.freeradius.org wrote: Hi, I sent an email to the list yesterday but it seems it wasn't delivered. I'm resending it again. /GK On Mon, May 5, 2008 at 12:10 PM, George KNIGHT [EMAIL PROTECTED] wrote: Hello All, I've been trying to setup an environment where WinCE OS client computers authenticate themselves using wireless connection to the freeradius v.2.0.3 server with PEAP. The authenticator willeventuallybe Cisco AP1242 AP but for now I am using Symbol AP300. The way that I want to set this up is that the computers with WinCE OS will be used by users who shouldn't be asked any user name or input. All I want is WinCE machines to authenticate themselves with freeradius through certificates. Basically, I want machine authentication as opposed to user authentication. Is there specific changes I have to do on conf files for this to work? Or any change at the client machines? Thank you. George Knight -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Machine authentication
Thank you for your reply David. I have a long way to go I guess. Have a nice day. /GK On Tue, May 6, 2008 at 10:02 AM, David Mitton [EMAIL PROTECTED] wrote: George, Your message came through just fine. But this is a voluntary list of users, and your question falls into an area that over hangs a long way outside of FreeRadius, possibly outside of the expertise in this group. I know a little about this space, so FWIW: First off, Big Picture: to a certain extent, FR doesn't care if you are authenticating a user or a machine. It just approves (Access-Accept) the wireless connect or not. You have to configure FR so it finds, resolves and can authenticate the credentials supplied. In your case EAP-TLS would be appropriate. I believe Microsoft gives you one of them on WinCE. You will have to install certs on the WinCE devices that meet the criteria on the client and server EAP-TLS module. If you are trying to use FR to front end an Active Directory installation, this becomes more complicated. (I cannot describe that to you) But even so, Remote Access authentication to AD is not a User logon, it's just access. The defaults favor user credentials or certificates, but you can configure anything that works, doesn't have to be users. Also, WinCE machines are not the same as WinXP systems with their relationship to an Active Directory. They are not domain members that logon AD users. So this is not machine authentication in the AD sense.That said, the EAP system in WinCE is a fairly equivalent to the XP EAP, But I'm not sure if there is automatic machine connection attempt or what the source of credentials would be. (maybe from the registry?) Likely if the ability exists, you have to define it in the EAP configuration. This is a WinCE EAP client issue. Good luck, Dave. May 6, 2008 08:49:37 AM, freeradius-users@lists.freeradius.org wrote: Hi, I sent an email to the list yesterday but it seems it wasn't delivered. I'm resending it again. /GK On Mon, May 5, 2008 at 12:10 PM, George KNIGHT [EMAIL PROTECTED] wrote: Hello All, I've been trying to setup an environment where WinCE OS client computers authenticate themselves using wireless connection to the freeradius v.2.0.3 server with PEAP. The authenticator will eventually be Cisco AP1242 AP but for now I am using Symbol AP300. The way that I want to set this up is that the computers with WinCE OS will be used by users who shouldn't be asked any user name or input. All I want is WinCE machines to authenticate themselves with freeradius through certificates. Basically, I want machine authentication as opposed to user authentication. Is there specific changes I have to do on conf files for this to work? Or any change at the client machines? Thank you. George Knight -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
Hi members, @Joe: I use Version 3.0.22-13 of Samba. But I think the username that windows sends for Authentication with host account is controlled by the windows client. There I use a Win XP with SP2. @Phil: Thanks, this solution works great. So I can eliminate the second Request to the radius-Service caused by the Local-realm of the ntdomain host/. @Jacob: It seems to be a good work around, but it would increase the calls to LDAP directory, so i decided to use Phils suggestion. I solved the problem using the mschap module in the filter line of the LDAP paragraph that Phil suggested. Thanks a lot for your hints, simply great! Best regards - Christian ___ SMS schreiben mit WEB.DE FreeMail - einfach, schnell und kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
in my experience, i have seen the hosts PASS their name as
host/HOST$.domain.domain.domain what version of samba are you using?
Christian Hohmann wrote:
Hi members,
I have a problem with the name of hosts. Here is the situation:
I have an LDAP Directory which is filled by samba-Deamon, for example with
hosts that are added to my domain. Samba signs every host-account with a $
at the end. If my laptop would be named christian, the entry created by SaMBa
in LDAP is christian$
Now I configured host authentication of windows Machines with freeradius.
Windows machines are configured to answer with their host account and
password. The windows machine christian answeres with the string
host/christian als Username. I configured realm with proxy to cut away
host/. So the current Username is christian.
The username in LDAP is christian$ and so I added a $ sign in the following
line of the radiusd.conf
Change the line from : filter = (uid=%{Stripped-User-Name:-%{User-Name}})
to: filter = (uid=%{Stripped-User-Name:-%{User-Name}}$)
This adds a $ sign to every User ID at the end. I can do authentication for
all Hosts authenticate with their host account.
The problem is, that I have no possibility to authenticate with a username
that has no $ as last character. This is the case for all users exept host
accounts.
Do you have a hint for me, how I could add the $ sign at the end of
hostnames, but not for normal users?
Best regards
Christian
___
SMS schreiben mit WEB.DE FreeMail - einfach, schnell und
kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
Christian Hohmann wrote:
Hi members,
I have a problem with the name of hosts. Here is the situation: I
have an LDAP Directory which is filled by samba-Deamon, for example
with hosts that are added to my domain. Samba signs every
host-account with a $ at the end. If my laptop would be named
christian, the entry created by SaMBa in LDAP is christian$
More recent versions of FreeRadius have an option in the mschap module
to handle this - you can do:
filter = (uid=%{mschap:User-Name:-%{User-Name}})
...and the mschap module will strip the host/foo.bar to give foo$
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
Christan,
You may be able to overcome / work around the problem by specifying a
2nd ldap module. Have one that appends the $ and checks and one that
doesnt.
On 5/9/07, Phil Mayers [EMAIL PROTECTED] wrote:
Christian Hohmann wrote:
Hi members,
I have a problem with the name of hosts. Here is the situation: I
have an LDAP Directory which is filled by samba-Deamon, for example
with hosts that are added to my domain. Samba signs every
host-account with a $ at the end. If my laptop would be named
christian, the entry created by SaMBa in LDAP is christian$
More recent versions of FreeRadius have an option in the mschap module
to handle this - you can do:
filter = (uid=%{mschap:User-Name:-%{User-Name}})
...and the mschap module will strip the host/foo.bar to give foo$
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: machine authentication
ok, now the normal authentication process works again!
normally our config from the ldap request looks like the following:
radiusd.conf:
basedn = CN=Users,DC=isalab,DC=local
filter = sAMAccountName=%{Stripped-User-Name:-%{User-Name})
groupname_attribute = cn
groupmembership_filter =
(|((member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
groupmembership_attribute = memberOf
users:
DEFAULT LDAP-Group == CN=adminrole,CN=users,DC=isalab,DC=local,
Huntgroup-Name == enterasys, Realm == ISALAB.local
Filter-ID == Enterasys:version=1:mgmt=su:policy=adminrole,
Reply-Message = Welcome %{Stripped-User-Name:-%{User-Name:-None}}
in the %{Realm} - Domain, there are no restrictions for you in
this network,
Fall-Through = No
with this config we get the groupmembership from the users and we can
give the filter-ID back to the switches.
But with machine authentication it looks a bit different!
first the DC ist Computers, no more users, then the sAMAccountName is for
example IT88$ and freeradius gives the name host/it88.isalab.local to the
AD, but this name stands in the servicePrincipalName!
also there is no memberOf any more at the device!
any ideas this is can be done?
ca mIke
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: machine authentication (was: Windows-Domain login without local users)
Michael Messner [EMAIL PROTECTED] wrote:
I've found out that there goes something completely wrong, there is
allways the ldap request!
Because you configured it to do that? See doc/configurable_failover
for how to handle failure cases.
ldap: filter = sAMAccountName=%{Stripped-User-Name:-%{User-Name})
That doesn't look right.
rlm_ldap: performing search in CN=Users,DC=isalab,DC=local, with filter
sAMAccountName=bob)
rlm_ldap: ldap_search() failed: Bad search filter: sAMAccountName=bob)
You're missing a bracket.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: machine authentication
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
hey alan,
Alan DeKok schrieb:
Michael Messner [EMAIL PROTECTED] wrote:
I've found out that there goes something completely wrong, there is
allways the ldap request!
Because you configured it to do that? See doc/configurable_failover
for how to handle failure cases.
ok, thanks for the information
ldap: filter = sAMAccountName=%{Stripped-User-Name:-%{User-Name})
That doesn't look right.
the bracket is now fixed, was this the only thing or is something else
not correct?
ca mIke
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFW2u+yUY4xkIcFVQRAqPjAKDeH6clrpbPb/7boHnImRnQEXg+MgCgq3FA
3qQqfRiItPegkLy2yEmQnO0=
=nhvD
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
Gilmour, Scott [EMAIL PROTECTED] wrote: I am setting up PEAP authentication and am using Windows 2003 Server Active Directory. I am unable to authenticate using PEAP with user Authentication but not with Machine Authentication. Is there something else I need to setup on FreeRadius to get this to work? You'll need a recent version of Samba and version 1.1.0 of FreeRADIUS. http://lists.cistron.nl/pipermail/freeradius-users/2005-October/047837.html Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
I've not done PEAP yet, but I have done EAP/TLSthere is a good document on the main web page for EAP/TLS and maybe it will shoot you in the right direction. check out the news items from Oct 5, 2004, and 11 May 2004, I've used both and they are extremely helpful. -Bob Gilmour, Scott wrote: Hi, I am setting up PEAP authentication and am using Windows 2003 Server Active Directory. I am unable to authenticate using PEAP with user Authentication but not with Machine Authentication. Is there something else I need to setup on FreeRadius to get this to work? Also is there a setup document somewhere where I can go through and double check my setup. I have searched online and have been unable to find anything to help me with this. Thanks, Scott Gilmour Software Engineer ENET, ENSRT Enterasys Networks Phone: 978-684-1236 Email:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] www: http://www.enterasys.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Machine Authentication
Okay Thanks, I will start there. Is there anything special I would need to do to Active Directory (Windows 2003 Server) to get this to work? Thanks, Scott Gilmour Software Engineer ENET, ENSRT Enterasys Networks Phone: 978-684-1236 Email:[EMAIL PROTECTED] www: http://www.enterasys.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] On Behalf Of Alan DeKok Sent: Tuesday, February 21, 2006 12:45 PM To: FreeRadius users mailing list Subject: Re: Machine Authentication Gilmour, Scott [EMAIL PROTECTED] wrote: I am setting up PEAP authentication and am using Windows 2003 Server Active Directory. I am unable to authenticate using PEAP with user Authentication but not with Machine Authentication. Is there something else I need to setup on FreeRadius to get this to work? You'll need a recent version of Samba and version 1.1.0 of FreeRADIUS. http://lists.cistron.nl/pipermail/freeradius-users/2005-October/047837.h tml Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Authentication
I'm not sure I understand your question. You have or haven't gotten user auth working? You have or haven't gotten machine auth working? If you're having troubles with machine auth, have you checked the list archives? There are previous messages going back a couple of months on how to set up machine authentication. You didn't mention what version of the server you're trying to use. I believe the latest stable release has the necessary code to make it work, or you could use a CVS snapshot. --Mike On Feb 21, 2006, at 7:19 AM, Gilmour, Scott wrote: Hi, I am setting up PEAP authentication and am using Windows 2003 Server Active Directory. I am unable to authenticate using PEAP with user Authentication but not with Machine Authentication. Is there something else I need to setup on FreeRadius to get this to work? Also is there a setup document somewhere where I can go through and double check my setup. I have searched online and have been unable to find anything to help me with this. Thanks, Scott Gilmour Software Engineer ENET, ENSRT Enterasys Networks Phone: 978-684-1236 Email:[EMAIL PROTECTED] www: http://www.enterasys.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: machine authentication w/ w2k ad
On Wed, 28 Jul 2004, Willey Kurt D wrote: I have FreeRADIUS (1.0.0-pre2) doing user authentication with W2K AD (peap, mschap, ldap, ntlm_auth); thanks to the archived posts for the help!! I want to use user authentication for non-domain machines (students, home laptops, etc - done) and machine authentication for those in active directory (our computers). I modified the ldap attribs to check servicePrincipalName (host\computername) but of course the machine doesn't send a password for mschap... What does the machine send anyway? If you can answer that you can probably find out a way to authorize these calls. Is this something I can do with FreeRADIUS or do I need to look at IAS? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: machine authentication w/ w2k ad
On Wed, 28 Jul 2004, Willey Kurt D wrote: I have FreeRADIUS (1.0.0-pre2) doing user authentication with W2K AD (peap, mschap, ldap, ntlm_auth); thanks to the archived posts for the help!! I want to use user authentication for non-domain machines (students, home laptops, etc - done) and machine authentication for those in active directory (our computers). I modified the ldap attribs to check servicePrincipalName (host\computername) but of course the machine doesn't send a password for mschap... What does the machine send anyway? If you can answer that you can probably find out a way to authorize these calls. Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone:+30 210 7721861 Here is the log of the failed try... The server is trying to use mschap; do I need to force it to another authentication? I am guessing yes... what do I use without breaking the user-based auth I have set up and working? THANKS!! rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ambrose,dc=sau,dc=edu, with filter ((servicePrincipalName=host/sauvxy5n.ambrose.sau.edu)(objectcategory=cn =computer,cn=schema,cn=configuration,dc=ambrose,dc=sau,dc=edu)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user host/sauvxy5n.ambrose.sau.edu authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/sauvxy5n.ambrose.sau.edu with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: machine authentication w/ w2k ad
On Thu, 29 Jul 2004, Willey Kurt D wrote: On Wed, 28 Jul 2004, Willey Kurt D wrote: I have FreeRADIUS (1.0.0-pre2) doing user authentication with W2K AD (peap, mschap, ldap, ntlm_auth); thanks to the archived posts for the help!! I want to use user authentication for non-domain machines (students, home laptops, etc - done) and machine authentication for those in active directory (our computers). I modified the ldap attribs to check servicePrincipalName (host\computername) but of course the machine doesn't send a password for mschap... What does the machine send anyway? If you can answer that you can probably find out a way to authorize these calls. Kostas Kalevras Network Operations Center [EMAIL PROTECTED]National Technical University of Athens, Greece Work Phone: +30 210 7721861 Here is the log of the failed try... The server is trying to use mschap; do I need to force it to another authentication? I am guessing yes... what do I use without breaking the user-based auth I have set up and working? You can either try and find out what password the machine uses and put them in the machine entries in ldap (or just add them in the users file) or if you have a way to distinguish the machine sessions from user sessions (and i am talking about something more secure than just checking the username provided) you can just set Auth-Type to Accept for those sessions (in the users file). THANKS!! rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ambrose,dc=sau,dc=edu, with filter ((servicePrincipalName=host/sauvxy5n.ambrose.sau.edu)(objectcategory=cn =computer,cn=schema,cn=configuration,dc=ambrose,dc=sau,dc=edu)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user host/sauvxy5n.ambrose.sau.edu authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/sauvxy5n.ambrose.sau.edu with NT-Password rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: group Auth-Type returns reject for request 6 rlm_eap: Freeing handler modcall[authenticate]: module eap returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
