Re: freeradius -peap ad/ldap
Sam Schultz wrote: On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira [EMAIL PROTECTED] wrote: Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username. so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access-reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. obviously their is a module called eap..else the daemon would not start... what do you think? Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: freeradius -peap ad/ldap
DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access- reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. First off, eap shouldn't be used this way. The top line of eap.conf clearly states: Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough to figure this out on its own Typical modules that would be used here are things like 'files', 'ldap', or 'sql'. There are also special types like 'Local' 'System', which you'd have to use one of if you were using an sql table to store user credentials. The second thing you have to understand is the difference between modules instances. An instance is a specific configuration of a module. The instance itself has a name that is user-specified. I suggest you read through the configurable_failover document, which is usually in /usr/share/doc/freeradius-version, it isn't long and offers pretty good insight into how freeradius' configuration gets processed. Also, if you need to use a seperate back-end for authentication, maybe you should tell us what you need to use so we can give you more specific answers. -- Click for free info on online degrees and make $150K/ year http://tagline.hushmail.com/fc/CAaCXv1WBTC2SZD08y4Fk4U6rprEfbhG/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Sam Schultz wrote: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication so i did what you recommended, which makes sense to do... i have Autz-type := eap, and in debug mode i get this clearly an access- reject follows. auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. First off, eap shouldn't be used this way. The top line of eap.conf clearly states: Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough to figure this out on its own Typical modules that would be used here are things like 'files', 'ldap', or 'sql'. There are also special types like 'Local' 'System', which you'd have to use one of if you were using an sql table to store user credentials. The second thing you have to understand is the difference between modules instances. An instance is a specific configuration of a module. The instance itself has a name that is user-specified. I suggest you read through the configurable_failover document, which is usually in /usr/share/doc/freeradius-version, it isn't long and offers pretty good insight into how freeradius' configuration gets processed. Also, if you need to use a seperate back-end for authentication, maybe you should tell us what you need to use so we can give you more specific answers. reference the initial thread where i said i was authenticating off of active directories, using eap-peap. which i had previously working just fine. Since i didn't specify an instance name in my eap.conf, it is referenced as 'eap' (which i did read, but was following your advice). Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
reference the initial thread where i said i was authenticating off of active directories, using eap-peap. which i had previously working just fine. Since i didn't specify an instance name in my eap.conf, it is referenced as 'eap' (which i did read, but was following your advice). Once you configure the eap module, it tends to take care of itself. Setting Auth-Type Autz-Type are for when you want to force a user (or all users, as with DEFAULT entries) to be authorized authenticated by the respective modules. If you're purely using ldap for authorization authentications, you wouldn't shouldn't need to set either one. I know in my case I had to set access_attr_used_for_allow to 'no' because I wasn't using the ldap schema extension packaged with freeradius. Joe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on accredited degrees with 150K/ year potential http://tagline.hushmail.com/fc/CAaCXv1JCgCkZNt7KGojkRoJHjx8XdRL/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius -peap ad/ldap
Hi all, I'm using the RHEL build of freeradius 1.0.1. I'm trying to do something that might seem totally stupid, so let me know if i am (no need to flame). I'm new to freeradius so bear with me a bit. i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. ideas? Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
On Thu, 15 Mar 2007 10:16:14 -0500 joe vieira [EMAIL PROTECTED] wrote: Hi all, I'm using the RHEL build of freeradius 1.0.1. I'm trying to do You really should upgrade that. If I recall correctly, there were some nasty bugs in the early 1.0.x builds. something that might seem totally stupid, so let me know if i am (no need to flame). I'm new to freeradius so bear with me a bit. We were all new at some point, some people just forget that :) i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. ideas? You could try using one of the SQL modules. Unlike ldap, the sql modules only retrieve attributes from an sql table, and sets the attributes for use by later modules (or freeradius, if the 'Auth-Type := Local' has been set) Joe Vieira UNIX Systems Administrator Clark University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click for free info on online doctorate degrees and make $250k/ year http://tagline.hushmail.com/fc/CAaCXv1ZYZztVZng17ISIErfsWIIfBi9/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius -peap ad/ldap
On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira [EMAIL PROTECTED] wrote: Alan DeKok wrote: joe vieira wrote: i have eap-peap authentication working against our ad domain. peachy keen. what i would like to be able to do is, in our openldap environment, store attributes for retrieval by radius, cisco stuff/ etc... i assume the way to do this would be to use the authorization sections, but if you add ldap to that then it automatically adds ldap authentication...which i don't want.. Upgrade to a newer version of the server, which doesn't do that. which versions would that be? OK, I think I understand what you're asking. If you want to use LDAP for authorization ONLY, and something else for authentication, you could put an entry like this in your 'users' file: DEFAULT check_items (ex: Realm == 'your_domain') Autz-Type := your_ldap_instance (ex: ldap), Auth-Type := module_instance_for_authentication Setting Autz-Type forces a certain type of authorization. Setting Auth-Type forces a certain type of authentication. Doing this in a DEFAULT entry causes ALL users that have Fall-Through set to yes to be passed through the specified authorization authentication method. This could also be set on a per-user basis by changing DEFAULT to the a given user's username. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Click here for free information on nursing jobs, up to $150/hour http://tagline.hushmail.com/fc/CAaCXv1Rz1mAIkYFfrrMgKeHIMrG3Yzo/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
